Cyber Incident Victim: Amey PLC
Date:
Dec 2020
Location:
United Kingdom
Summary
A major cyber attack targeted a UK infrastructure management firm responsible for bin collections and street cleaning services, involving the Mount Locker ransomware group. The attackers exfiltrated and publicly leaked 143 GB of sensitive data, including contracts, passports, and financial details, while demanding a $2 billion ransom. Conti threat actors, though not directly involved, promoted the breach, indicating collaboration among multiple groups to disseminate stolen information. The involvement of at least three distinct threat actors heightened risks of persistent data exposure, undermining assurances of data destruction and amplifying potential misuse of the compromised personal, financial, and commercial records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
The cyber incident involving Amey PLC, a company contracted by Trafford Council for waste collection and street cleaning services, began in mid-December 2020. The Mount Locker ransomware group claimed responsibility for the attack, which Amey described as 'complex.' Attackers exfiltrated approximately 143 GB of sensitive data including personal information, financial records, commercial contracts, and passport details. Mount Locker subsequently published the stolen data on their dedicated leak site after Amey failed to meet their $2 billion ransom demand. The group completed the full data dump by January 2021, though the company indicated the attack remained ongoing at the time of reporting.
Multiple threat actors became involved in disseminating the stolen data despite no evidence of collaborative intrusion efforts. Conti ransomware operatives independently contacted media outlets to amplify awareness of Mount Locker’s data leak, though they denied direct participation in the initial breach. This multi-group involvement significantly increased risks of indefinite data propagation, as copies circulated beyond Mount Locker’s control. The breach exposed sensitive employee and operational documents from Amey’s infrastructure management contract with Trafford Council. No containment measures or technical responses from Amey were detailed in available reports, beyond their characterization of the attack’s sophistication. The incident demonstrated heightened threats to municipal service providers holding substantial volumes of sensitive government-related data.