Bad actors looking to do their Christmas shopping on the cheap have breached the IT systems of a Russian automated post box service causing over 2,700 boxes to suddenly open.
PickPoint is a company that operates ‘checkpoints’ in Russia to which people can redirect parcels and collect them at any time of day.
Footage shared to social media shows one of these checkpoints with its signature orange boxes mysteriously opening one-by-one.
Over the weekend, it confirmed that it fell victim to a first of its kind cyber attack that damaged its network.
“We are dealing with the world's first targeted cyberattack against a post-gateway network,” PickPoint said in a statement.
“The attack was detected at an early stage, so most of the 2,732 terminals were disabled and orders were not affected.
“Additional resources, engineers and IT specialists were involved in restoring the network to work.”
During the attack, the company remotely locked up all boxes – stopping people from getting their parcels – and had local staff run around collecting mail that was left exposed by opened lockers.
Within a day, PickPoint was back up and running.
Хакерская атака обрушилась сегодня утром на постоматы PickPoint, из-за чего камеры хранения открылись на распашку. В пресс службе компании сообщили, что сбой затронул более 3000 терминалов и обещали связаться со всеми пострадавшими клиентами. pic.twitter.com/rjCYakCOUh— роман соболев (@MicroRomario) December 7, 2020
Could it happen here?
Australia Post runs a similar service to PickPoint’s remote Parcel Locker system.
As with PickPoint, online shoppers can direct their parcels to a locker.
When it arrives, the buyer receives an email or text message with a code and instructions for how to open the locker any time – so long as it’s within 48 hours of delivery.
Information Age asked Australia Post about the security of its remote locker system and whether or not the IT system is managed by an external organisation.
“Australia Post takes the safe delivery of parcels seriously and provides a secure delivery service for customers,” a spokesperson said in a statement.
“We partner with trusted providers where appropriate to manage and support our technology assets.”
The national postal service had promised to overhaul its cyber security posture in the past year following a 2019 report from the Australian National Audit Office (ANAO) that found Australia Post had “not effectively managed cyber security risks”.
Australia Post has since updated a parliamentary committee on its improved cyber security efforts with CISO Glenn Stuttard saying they were conducting “formal risk assessment against our critical assets that were identified as a gap in the report” and were “taking immediate action to address any identified concerns”.