The Royal Mail has suffered a data breach in its “Click & Drop” service which saw customers using the platform given unauthorised access to parcel data of other clients and companies. Click & Drop was taken offline temporarily, but Royal Mail says it has now been restored. Regulatory body, the Information Commissioner’s Office (ICO) has remarked to Tech Monitor that is has not yet been made aware of the breach.
The Click & Drop service is an online platform that allows customers to pay for postage online, print labels and track parcels when they are in transit.
How the Royal Mail data breach unfolded
Royal Mail discovered the problem with Click & Drop on Tuesday. The company, owned by International Distribution Services (IDS), has explained that it has temporarily suspended the platform and that it is conducting an investigation into the issue.
An update reads: “Royal Mail has temporarily suspended its Click & Drop website as a precautionary measure following reports that a limited number of customers were able to see information about other customers’ orders following a technical problem. We are investigating the incident in order to fix the IT issue so that you can post as soon as possible.”
While the issue was investigated, the Royal Mail asked customers to use paper equivalents, providing a link to the appropriate forms.
Click & Drop problems leave business owners fuming
The outage left business owners without access to what is a crucial service, and many took to social media to air their frustrations.
We might not be able to dispatch anything today, as it turns out; Click and Drop bugged out and started showing users other users’ orders, a massive breach of confidentiality, so they’ve shut it down. No-one can book anything with the Royal Mail right now. Amazing. pic.twitter.com/PUbqaLC3I6— Tuxford Furniture Hardware (@HardwareTuxford) November 1, 2022
Hello @RoyalMailHelp. Has @ICOnews been informed of your data breach yet? Also, why did it take almost an hour from notification to you by users of the breach to your taking @click_and_drop down? https://t.co/qCB27m66ujNovember 1, 2022
A Royal Mail spokesperson later said: “Royal Mail has restored its Click & Drop service as we have now fixed the IT systems issue. We temporarily suspended the website this afternoon as a precautionary measure following reports that some customers were able to see information about other customers’ orders following a technical problem. We apologise to our customers for any inconvenience.”
The spokesperson did not comment on the cause of the incident. Tech Monitor has asked data regulator the Information Commissioner’s Office if it is investigating the Royal Mail data breach. The regulator notes that it has not received an update from the Post Office as of yet. “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms,” explained a spokesperson for the ICO to Tech Monitor.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary. All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us,” they explain.
The news comes amid a dispute between IDS and Royal Mail staff, with unions having rejected a pay offer from the company as “unacceptable” and threatening strike action.