Cyber Incident Victim: Merseyrail
Date:
Apr 2021
Location:
United Kingdom
Summary
The UK rail operator Merseyrail experienced a cyberattack involving the Lockbit ransomware gang, who compromised a director's corporate email account to disseminate claims of data theft to employees and media outlets. Attackers sent messages alleging stolen employee and customer data, accompanied by a sample of compromised personal information. The organization confirmed the incident, initiated an investigation, and notified relevant authorities including the UK Information Commissioner's Office. The attackers leveraged the breached email system to amplify pressure tactics, reflecting broader ransomware trends of escalating extortion methods beyond encryption. Operational impacts were suggested in the attackers' communications, though the rail network did not publicly detail service disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Merseyrail, a UK rail network operating sixty-eight stations in the Liverpool City Region, experienced a cyberattack likely perpetrated by the Lockbit ransomware gang around April 18, 2021. The incident came to light when BleepingComputer and various UK newspapers received an email from the compromised Office 365 account of Andy Heath, Merseyrail's Director, with the subject line "Lockbit Ransomware Attack and Data Theft." This email, also distributed to Merseyrail employees, claimed the rail network had suffered a ransomware attack during a prior weekend outage that resulted in the theft of employee and customer data. The attackers posed as Heath in the message, contradicting Merseyrail's initial downplaying of service disruptions and included a link showcasing a sample of stolen employee personal information. Merseyrail confirmed the cyberattack to BleepingComputer on April 17, 2021, stating they had launched a full investigation and notified relevant authorities while declining further commentary during the active probe. The UK Information Commissioner's Office acknowledged Merseyrail had reported the incident and was assessing provided details, indicating potential data protection implications.
The attackers leveraged Heath's @merseyrail.org email account to directly communicate their claims to both internal staff and external media, demonstrating an escalation in ransomware extortion tactics. This approach marked a shift from traditional encryption-based attacks to overt psychological operations using compromised communication channels. While Merseyrail did not disclose operational impacts or data scope, the email's distribution method confirmed the threat actors had gained sufficient access to manipulate corporate email systems. The rail operator maintained service continuity throughout the incident but faced reputational risks from the public exposure of the breach and data theft claims. No further details regarding investigation outcomes, ransom demands, or data restoration efforts were disclosed in available sources, leaving the full technical scope and long-term consequences of the attack undocumented in public reporting at the time.