Cyberattack on Fastway Couriers compromises contact details

Delivery firm apologises and says names and addresses involved but financial details safe

The names, addresses and contact details belonging to almost 450,000 people were compromised in a cyberattack on one of the country’s largest parcel delivery companies.

Fastway Couriers said the names, postal addresses and email addresses and/or phone numbers of 446,143 people who had received parcels over a month-long period from mid-January were exposed in a “malicious hack”.

The company said that it notified An Garda Síochána about the hack of its computer systems and made a data breach submission to the State's data privacy watchdog, the Data Protection Commission.

The hacked data is information used for delivery purposes only and contained no customer financial details so no personal financial or payment card information is at risk and no passwords have been exposed in the attack.


‘Fully mitigated’

The cyberattack was identified by a IT development contractor employed by Fastway on February 25th and was “fully mitigated” by 9am on February 26th, the courier firm said.

The contractor advised Fastway of the breach on March 2nd.

A spokesman for the Data Protection Commission said that it received a data breach notification from Fastway on March 4th and that it was assessing the incident and preparing to engage with the company.

The compromised information relates to data on Fastway’s clients, which includes the personal information of the customers of those clients. The company anonymises personal data within 30 days of delivery.

Danny Hughes, chief executive of Fastway Couriers, said that it was "distressing" that the company's IT system was compromised by a "malicious hack".

“I deeply regret that people’s personal data has been compromised and I apologise to our clients and their customers,” he said.

“I want to stress that nobody’s financial data was at risk and the issue is limited to delivery information only.”

‘Best practice’

Mr Hughes said that it would continue to work closely with the Data Protection Commission, the Garda and clients “to manage this situation in line with best practice”.

The company said that it had engaged an IT consultancy to conduct “an incident response and independent review of the cyberattack”.

The data compromised relates to Fastway deliveries and in-flight or undelivered parcels over a period of about 30 days from the middle of January onwards, the courier company said.

Demand for parcel services has surged during the Covid-19 pandemic as the closure of retailers has forced people to buy more online and to rely on deliveries to private addresses as people stay at home.

Fastway has more than 7,000 clients, including 20 major online retailers with the remainder being medium-sized and smaller retailers.

One of Fastway’s clients, Belfast-based Chain Reaction Cycles, a large online retailer of cycling products, alerted customers on Thursday that their data was accessed “during planned database updates” by the courier firm.

It told customers that customer data was “vulnerable for a short period of time”.

Simon Carswell

Simon Carswell

Simon Carswell is The Irish Times’s Public Affairs Editor and former Washington correspondent