Royal Mail has revealed a multimillion-pound cost attached to a serious ransomware breach it suffered earlier this year.
The British postal service company was hit by a LockBit affiliate, in an incident which caused “severe service disruption” for items sent abroad. It later transpired that the ransomware actors were demanding nearly $80m from the firm to prevent them leaking its stolen data.
Although Royal Mail refused to pay, in line with law enforcement advice, the operational costs associated with the incident are starting to emerge.
The half-year financials for the International Distribution Services business, which comprises Royal Mail and GLS, noted a 6.5% year-on-year revenue decline for the 26 weeks to September 2023. The cause given was industrial action and the ransomware breach.
The macro-economic backdrop, industrial action and the cyber-incident were blamed for a 5% drop in international parcel volumes.
Read more on incident response: Financial Services Firms Spend Over $2m on Ransomware Recovery
“The business is focused on recovering customer relationships,” Royal Mail added.
Interestingly, “infrastructure costs” increased by 5.6% in the same period. The company said this was partly fuelled by “costs of remediation and systems resilience improvement following the cyber-attack on the Heathrow Worldwide Distribution Centre of £10m.”
SecurityScorecard CISO, Steve Cobb, explained that this expenditure could include system recovery and rebuild.
“Ransomware infections will many times leave systems unusable, so they must be rebuilt from scratch and this could include purchasing new hardware and new virtual services. This is many times true even if the company pays the ransom and gets a decryption key,” he added.
“The decryption process is typically ineffective and really just gives an organization access to unencrypted data that then must be migrated to functioning infrastructure. This is very time consuming and costs lots of money.”
Hardening of identity management systems and cloud security may also be on the cards, as identity is usually compromised during a ransomware attack kill chain and cloud environments are often targeted for initial access, he added.
“They could also be investing in resources,” Cobb concluded.
“We see many of these victims who have a mature security program, but it is not monitored and maintained as it should be because they are understaffed or have staff inexperienced with hardening systems to protect from threats like ransomware.”