Royal Mail, the UK’s designated postal operator, announced a cyber incident January 11, halting all outbound international mail. It took a few days before the extent and cause of the attack were disclosed. The ransomware attack is attributed to the LockBit cartel, a Russian-linked group. As Advance Electronic Data (AED) is required for packages moving between countries, data systems for international mail dispatch have become necessary to the flow of mail internationally. While the exact details of this attack are not publicly available, the Royal Mail is cooperating with security authorities. Inbound mail from other countries was subject to “slight delays,” and domestic mail within the UK was not affected. Royal Mail stopped accepting all mail bound for foreign countries from customers.
On January 18, Royal Mail was able to send a “limited number” of outbound items using a work-around created to overcome the dispatch problems. As of 7 PM January 19 in the UK, letters not requiring a customs declaration were accepted to foreign addresses. They continued to request that customers not mail packages to other countries for about two weeks. As of Monday, January 23, Royal Mail was able to resume dispatch of letters and packages to an increasing number of countries. Royal Mail is slowly returning to full international operation.
The ransomware attack and suspension of international outbound mail follows a number of one-day strikes that caused delivery delays in the last months of 2022. The net cost of the strikes to Royal Mail is around £200 million (about $248 million), according to financial reports. Strikes by the Communications Workers Union (CWU) will continue into 2023, with the first one on February 16. The UK has a liberalized postal sector, allowing competition in domestic and international mail services. Customers have moved to Royal Mail’s competitors during the disruptions.
Royal Mail’s history goes back to the 1600’s, with occasional name changes over the years. A government department for most of its history, it became a government-owned statutory corporation in 1969 and a public limited company in 2000. In 2006, Royal Mail lost the 350-years monopoly on mail services. In 2013, shares in Royal Mail began trading on the stock exchange, with a great deal of controversy. Accusations appeared that the government mishandled the initial offering, as the share price increased after the initial sale. Controversy continued into 2015 when the government disposed of its remaining 30% stake in Royal Mail. Through 2019 and into 2020, Royal Mail was trading below the issue price and was demoted from the FTSE 100 in 2022.
Like the USPS, Royal Mail has had continuing financial losses. Both face serious challenges from decreasing mail volumes; both were relieved of their pension debt by legislative action leading to better-looking financial statements. Unlike Royal Mail, the USPS is a government corporation and retains its a domestic mail monopoly. The Royal Mail ransomware attack raises further questions about its future.
The suspension of international mail acceptance and dispatch has led to substantial costs to businesses, particularly smaller businesses. Some businesses have reported a lack of tracking information resulting in concerns for potentially lost articles. Refunds for late and undelivered orders have, of course, increased. Items sent to service suppliers in other countries for repair or refurbishment were held by Royal Mail, creating inventory and customer service problems. Order processing backlogs are having an effect on ongoing company operations. The ultimate cost will be difficult to determine.
As we all know, the number of attacks by hackers has been increasing year to year. Postal operators in developed and developing countries, with networks accessed by hundreds of thousands of mailers, are particularly vulnerable and must guard against intrusion. The Royal Mail ransomware attack is a warning to us all.
Merry Law is President of WorldVu LLC and the editor of Guide to Worldwide Postal-Code and Address Formats. She is a member of the UPU’s Addressing Work Group and of the U.S. International Postal and Delivery Services Federal Advisory Committee.
This article originally appeared in the March/April, 2023 issue of Mailing Systems Technology.