Following a number of recent cyber-security related events in the UK (for example, the suspected ransomware attack on The Guardian newspaper in December 2022 and cyber-attacks impacting upon various UK-based schools in January 2023), it has been reported this week that Royal Mail has also suffered a “cyber-incident” which has left it unable to send letters and parcels overseas following its computer systems being “severely disrupted”.

So far, Royal Mail seems to have been unable to identify the exact cause of the problem, but it is reported to be investigating the issue together with external experts and in conjunction with the National Cyber Security Centre (NCSC) and the National Crime Agency.

Although it is not yet clear whether any personal data has been compromised as a result of the incident, the UK Information Commissioner’s Office (ICO) has also been notified and an ICO spokesperson has issued a statement confirming that the ICO will be making enquiries.

This is the second incident apparently suffered by Royal Mail in recent months.  In November 2022 it was reported that Royal Mail experienced an issue with its Click & Drop service that led to some customers being able to see certain information regarding other customers’ orders.  The Click & Drop website was temporarily suspended pending resolution of the issue. 

It will be interesting to see whether this latest incident is the result of a technical problem or a cyber-security incident

These various recent cyber-related incidents make it clear that organisations should continue to prioritise both cyber-security and personal data security more widely.  The NCSC’s 2022 Annual Review published in November 2022 noted that, during the last year, the cyber security threat to the UK had evolved significantly.  Ransomware was reported to be a continuing issue for both UK businesses and public services, with 18 ransomware attacks requiring a nationally coordinated response, while official figures revealed that there were 2.7m cyber-related frauds during the 12 months to March 2022. 

The NCSC also observed that both state and non-state cyber security threats continue to evolve and will likely present challenges.  Various other threats (for example, threats to the global supply chain via third-party vendors or suppliers and exploitation of weaknesses in IT systems) were also highlighted.

The importance of cybersecurity and implementing appropriate technical and organisational security measures to protect personal data was also emphasised by the Information Commissioner in October 2022 following the issuing of a £4.4 million fine to Interserve Group Ltd for failure to keep its employees’ personal data and certain special categories of personal data appropriately secure, which enabled a cyber-attack.  In his statement announcing the monetary penalty, John Edwards, the Information Commissioner, noted:

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.  If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

With certain updates to relevant UK legislation also on the horizon (for example, the proposed changes to the Network and Information Systems Regulations 2018), UK-based businesses would do well to consider whether the technical and organisational security measures that they have implemented to protect their systems and data remain sufficiently comprehensive and robust to try to minimise the risk of cyber-security incidents and data breaches and the implications under applicable data protection and cyber-security related legislation and reputational issues that may result from the same.