Cyber Incident Victim: Post Office Ltd
Date:
Nov 2016
Location:
United Kingdom
Summary
A cyber-attack targeting internet routers disrupted services for thousands of customers of Post Office and TalkTalk, causing widespread internet access loss. The incident involved a modified Mirai worm exploiting vulnerabilities in specific Linux-based router models, including the Zyxel AMG1302 used by the organization. Approximately 100,000 Post Office users and an unspecified number of TalkTalk subscribers were affected, mirroring similar disruptions impacting Deutsche Telekom customers earlier that week. Service providers confirmed no personal data or devices were compromised, identified the source, and implemented fixes—advising affected users to reboot routers to restore connectivity. Security researchers noted the malware's focus on router vulnerabilities, with experts warning of potential future attacks on other connected devices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 27, 2016, a cyber-attack disrupted internet services for thousands of Post Office and TalkTalk customers in the UK. The incident targeted specific models of internet routers, including the Zyxel AMG1302 used by Post Office subscribers, causing widespread connectivity outages. Post Office confirmed approximately 100,000 customers lost internet access starting that Sunday, while TalkTalk acknowledged an unspecified number of affected users without disclosing exact figures. The attack leveraged a modified variant of the Mirai malware, a worm known for compromising Linux-based networked devices by exploiting known vulnerabilities. This malware variant propagated through hijacked systems to damage router hardware, rendering them inoperable. The incident mirrored a simultaneous attack on Deutsche Telekom in Germany, where up to 900,000 customers experienced service disruptions from the same malware family earlier that week. Security researchers had previously identified vulnerabilities in these consumer-grade routers that the Mirai worm exploited.
Post Office and TalkTalk initiated response measures by identifying the attack vector and deploying technical fixes to restore services. Both Internet Service Providers assured customers that no personal data or connected devices were compromised during the incident. They advised affected users to reboot routers to apply automated patches and regain connectivity. Kcom, another UK ISP using the same vulnerable router models, implemented network-level protections that restored most customer connections. The companies did not attribute responsibility for the attack or disclose technical specifics of their remediation steps. Cybersecurity experts warned that compromised routers could enable secondary attacks against other Internet of Things devices, including web cameras and smart televisions, if left unsecured. This incident highlighted systemic risks associated with widely deployed consumer networking equipment harboring unpatched vulnerabilities.