View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
November 1, 2022updated 02 Nov 2022 10:39am

Royal Mail data breach sees customer information shared with other users

The postal service's Click & Drop platform was taken offline after the breach was discovered.

By Claudia Glover

The Royal Mail has suffered a data breach in its “Click & Drop” service which saw customers using the platform given unauthorised access to parcel data of other clients and companies. Click & Drop was taken offline temporarily, but Royal Mail says it has now been restored. Regulatory body, the Information Commissioner’s Office (ICO) has remarked to Tech Monitor that is has not yet been made aware of the breach.

Royal Mail breach
The Royal Mail Click & Drop service is suffering a data breach impacting its online service. (Photo by Andriy Blokhin/Shutterstock)

The Click & Drop service is an online platform that allows customers to pay for postage online, print labels and track parcels when they are in transit.

How the Royal Mail data breach unfolded

Royal Mail discovered the problem with Click & Drop on Tuesday. The company, owned by International Distribution Services (IDS), has explained that it has temporarily suspended the platform and that it is conducting an investigation into the issue. 

An update reads: “Royal Mail has temporarily suspended its Click & Drop website as a precautionary measure following reports that a limited number of customers were able to see information about other customers’ orders following a technical problem. We are investigating the incident in order to fix the IT issue so that you can post as soon as possible.”

While the issue was investigated, the Royal Mail asked customers to use paper equivalents, providing a link to the appropriate forms.

Click & Drop problems leave business owners fuming

The outage left business owners without access to what is a crucial service, and many took to social media to air their frustrations.

A Royal Mail spokesperson later said: “Royal Mail has restored its Click & Drop service as we have now fixed the IT systems issue. We temporarily suspended the website this afternoon as a precautionary measure following reports that some customers were able to see information about other customers’ orders following a technical problem. We apologise to our customers for any inconvenience.”

The spokesperson did not comment on the cause of the incident. Tech Monitor has asked data regulator the Information Commissioner’s Office if it is investigating the Royal Mail data breach. The regulator notes that it has not received an update from the Post Office as of yet. “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms,” explained a spokesperson for the ICO to Tech Monitor.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary. All organisations using personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us,” they explain.

The news comes amid a dispute between IDS and Royal Mail staff, with unions having rejected a pay offer from the company as “unacceptable” and threatening strike action.

Read more: Royal Mail trials autonomous drone delivery in the UK

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.