Related Articles
British postal operator Royal Mail is examining a potential data breach after a cybercriminal claimed to have leaked more than 144GB of files allegedly containing customer information. The material was published by a user known as “GHNA” on BreachForums, a known cybercrime marketplace. The threat actor claimed the files were sourced via Spectos, a third-party analytics and data services provider.
A Royal Mail spokesperson confirmed to BleepingComputer that the company is aware of an incident involving its third-party vendor, Spectos. Separately, Spectos told the publication that it had suffered a breach on 29 March, which led to unauthorised access to customer-related information. The leaked files reportedly include personally identifiable data, such as full names, addresses, package information, and planned delivery dates.
The leaked dataset spans 293 folders and includes 16,549 individual files. It was shared freely on the forum. According to the post, the dataset also contains mailing list data sourced from Mailchimp, internal Zoom meeting recordings involving Royal Mail Group and Spectos, postal network data, and a WordPress SQL database associated with the domain mailagents.uk.
Cybersecurity company Hudson Rock has linked the breach to credentials compromised in 2021 through infostealer malware that infected a Spectos employee. “In this case, the infected Spectos employee’s credentials provided a gateway to Royal Mail Group’s systems,” said Hudson Rock’s chief technology officer Alon Gal. Hudson Rock noted that these credentials were the same as those used in a recent breach involving Samsung’s customer systems.
Leaked data includes internal recordings, campaign metadata, and logistics files
The cybersecurity firm observed that the same Spectos-linked vulnerability was exploited by the same actor in both incidents. The credentials, harvested during the initial malware infection, remained active and were later used to access sensitive datasets. The threat actor published data that includes detailed campaign metadata from Mailchimp, contact records, and location-specific datasets used in delivery and logistics functions.
The leaked material also reportedly includes server directory structures, scanned documents, and technical configuration files that could further expose internal system architecture. The BreachForums post by GHNA included screenshots and file samples to verify the nature of the content. Some of the data points are timestamped between 2022 and 2024, suggesting prolonged access before the data was published.
Royal Mail has confirmed that its postal operations remain unaffected by the incident and that there has been no disruption to services. The company has not verified the full scope or authenticity of the leaked data but said its teams are investigating the breach.
The British postal firm has previously faced multiple cybersecurity incidents involving service disruption and data compromise. In January 2023, Royal Mail was targeted in a ransomware attack attributed to the LockBit group, which resulted in the suspension of international shipping services for several weeks. In a separate incident in November 2022, the company experienced a tracking system outage lasting over 24 hours.
The latest investigation is ongoing, with Royal Mail and Spectos yet to confirm whether any mitigation or notification procedures have been implemented for affected individuals.
Source link
