Royal Mail customer data leak shutters online Click and Drop

A Technical Snafu Shut Down The Uk’s Royal Mail Click And Drop Website On Tuesday After A Security “issue” Allowed Some Customers To See Others’ Order Information.

The data leak started around 13:00 GMT, and according to an alert posted on Click and Drop’s status page, Royal Mail shut down the website about an hour later.

In an update posted shortly before 14:00 GMT, the postal service noted:

We have been made aware there was an issue affecting Click & Drop that meant some customers could see other customers’ orders. As a protective measure, we have stopped access to Click & Drop temporarily. We fully understand and apologise for the inconvenience caused by this. Our engineers are working as hard as possible to get the site back up and running as expected. Further updates will be posted here as soon as we have more information.

In subsequent alerts, Royal Mail assured customers that its engineers continued to work on a fix, and hoped to have the site back online “as soon as possible.” The service, which allows customers to print labels and pay for postage online, and then track packages until they reach their destination, vowed that it was “treating this as the highest priority.” 

Later, Royal Mail suggested users resort to actual paper “emergency” order forms instead of the online versions. Who even owns a printer these days? Emergency, indeed. 

About four hours later, at 18:01 GMT, the postal service marked the issue as “resolved,” and the website was up and running. “We apologise for any inconvenience this has caused our customers,” Royal Mail said. “The root cause is now under investigation.”

On Wednesday, the online service noted “no incidents reported today.” However, some customers took to Twitter to say the site still wasn’t working, and they had been charged twice but not received any postage label.  

Royal Mail did not immediately respond to The Register‘s questions about how many customers’ data was exposed, or whether the incident was due to a mistake or something more malicious.

As of Tuesday, Royal Mail had not notified the UK’s Information Commissioner’s Office (ICO), according to Sky News. The postal service has 72 hours after becoming aware of a data breach to notify the consumer privacy watchdog agency, unless the leak doesn’t “pose a risk to people’s rights and freedoms” an ICO spokesperson told the media outlet.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

• Globally, 30,000 websites are hacked daily.
• 64% of companies worldwide have experienced at least one form of a cyber attack.
• There were 20M breached records in March 2021.
• In 2020, ransomware cases grew by 150%.
• Email is responsible for around 94% of all malware.
• Every 39 seconds, there is a new attack somewhere on the web.
• An average of around 24,000 malicious mobile apps are blocked daily on the internet.