UK Royal Mail third party breach exposes 144GB of customer information

The British postal service, Royal Mail, is investigating claims of data breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems. The incident has been traced to a security breach at Spectos GmbH, a third-party data collection and analytics service provider used by Royal Mail.

On March 29, 2025, Spectos confirmed its systems were breached, resulting in unauthorized access to customer data. A Royal Mail spokesperson has stated that while they are working with Spectos to investigate the issue, there has been "no impact on Royal Mail operations and services continue to function as normal."

The threat actor, who uses the handle "GHNA" on BreachForums, released 16,549 files allegedly containing sensitive Royal Mail customer information. The exposed data reportedly includes:

• Names
• Addresses
• Planned delivery dates
• Phone numbers
• Company information
• Mailchimp mailing lists
• Datasets with delivery/post office locations
• WordPress SQL database for mail agents.uk
• Internal Zoom meeting video recordings between Spectos and the Royal Mail Group

The number of affected individuals is not disclosed.

According to cybersecurity company Hudson Rock, the attackers gained access using credentials of a Spectos employee that were compromised in a 2021 information stealer malware incident. Hudson Rock CTO Alon Gal explained, "The stolen data sat dormant until recently, when it was weaponized in these high-profile leaks." Gal also confirmed that the GHNA claim is "very credible."

Spectos has disputed some aspects of the report, stating that "there are no indications of an internal attack or the use of leaked access data."