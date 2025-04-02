Two years on from a devastating ransomware attack, UK postal service Royal Mail is facing the potential exposure of several gigabytes of sensitive user data, which has allegedly been leaked on the dark web for anyone to access for free.

On March 31, a user of the dark web forum BreachForum, known as ‘GHNA’, claimed to have breached Royal Mail.

The data breach allegedly impacted Spectos, a Germany-based supplier of Royal Mail. The threat actor claimed to have exfiltrated 144GB of data, including sensitive information such as the personally identifiable information (PII) of Royal Mail customers, confidential documents and internal Zoom meeting video recordings between Spectos and the Royal Mail Group.

Other data could also be included, such as delivery and post office location datasets, Mailchimp mailing lists, a WordPress SQL database for mailagents.uk and more.

The threat actor shared a sample of the alleged compromised data, comprising 293 folders and 16,549 files, which contains names, addresses, company information, phone numbers and a screenshot of a meeting between the Royal Mail Group and Spectos.

GHNA claimed that this is not the first instance of Royal Mail data being leaked due to Spectos.

Spectos Confirms Cyber Incident

On April 1, Spectos released a public statement confirming that the company had suffered a cyber incident and was investigating it.

The next day, a Spectos spokesperson told Infosecurity that while the current scope of the incident was being investigated, they could confirm that "unauthorized access to [Spectos] systems and personal customer data has occurred."

Spectos added that despite some media reports, "there are no indications of an internal attack or the use of leaked access data."

The firm is working with external cybersecurity experts to support its investigation.

"We take this incident very seriously and are doing everything we can to avert damage, clarify the causes and harden our systems in the long term. All legal and technical steps to minimize risk are being taken at full speed and the ISO 27001-certified systems are being permanently monitored and increasingly protected," the Spectos spokesperson added.

In a statement from Royal Mail sent to Infosecurity on April 2, a spokesperson said that the company was aware of the claim made by the threat actor and confirmed that Spectos was a supplier.

“We are working with the company to investigate the issue and establish what impact, if any, there may be regarding their data. We can confirm there has been no impact on Royal Mail operations and services continue to function as normal,” the spokesperson added.

Spectos Breach Likely Linked to a 2021 Infostealer Log

Alon Gal, CEO of cybersecurity firm Hudson Rock, stated that the breach echoes a claim made by the same BreachForum user in late March 2025, who allegedly leaked 270,000 Samsung customer tickets.

Gal told Infosecurity that the GHNA claim is “very credible.”

“My analysis confirms that both incidents trace back to credentials stolen in a 2021 infostealer infection of a Spectos employee, exploited years later by GHNA,” said Gal.

Samsung appears as a partner on Spectos’ website.