Royal Mail is investigating claims of a significant data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The incident involves Spectos GmbH, a third-party data analytics provider.
Royal Mail Data Breach and Leaked Data
A threat actor, using the handle “GHNA” on BreachForums, released 16,549 files. These allegedly contain Royal Mail customers’ personally identifiable information (PII). This includes names, addresses, planned delivery dates, and more.
Other leaked data reportedly includes Mailchimp mailing lists, delivery/post office location datasets, the WordPress SQL database for mail agents.uk, and internal Zoom meeting recordings between Spectos and Royal Mail Group.
Royal Mail leak on BreachForums
Source: BleepingComputer
A Royal Mail spokesperson stated, “We are aware of an incident which is alleged to have affected Spectos, a supplier of Royal Mail. We are working with the company to investigate the issue and establish what impact there may be regarding their data. We can confirm there has been no impact on Royal Mail operations and services continue to function as normal.”
Spectos also confirmed a system breach on March 29th, 2025, stating, “Spectos GmbH has been the target of an ongoing cyber attack since March 29, 2025. According to the current status, unauthorized access to systems and personal customer data has occurred. The exact scope of the incident is currently the subject of intensive forensic investigations.”
Breach Vector: Compromised Credentials
Cybersecurity firm Hudson Rock suggests the attackers leveraged stolen credentials from a Spectos employee. These credentials were reportedly compromised in a 2021 info-stealer malware incident.
Hudson Rock CTO Alon Gal explained, “In this case, the infected Spectos employee’s credentials provided a gateway to Royal Mail Group’s systems. The stolen data sat dormant until recently, when it was weaponized in these high-profile leaks.”
Royal Mail’s History of Security Incidents
This isn’t Royal Mail’s first security breach. A LockBit ransomware attack in January 2023 caused severe service disruption, including a halt to international shipping services for three weeks. Another outage in November 2022 affected tracking services for over 24 hours.
