Was the email account of Merseyrail’s MD hacked to spread word of ransomware attack?

Was the email account of Merseyrail's MD hacked to spread word of ransomware attack?

Here’s a weird one.

Bleeping Computer reports that Merseyrail, the railway network serving Liverpool and the surrounding area, has been hit by ransomware.

So far, so not extraordinary.

But what makes this story somewhat different is that Lawrence Abrams at Bleeping Computer says that the first he knew of Merseyrail being attacked was when he (alongside various British newspapers and staff of the transport service) received an email on April 18 seemingly sent from the account of Merseyrail managing director Andy Heath.

The email, with the subject line “Lockbit Ransomware Attack and Data Theft,” claimed that an outage the previous weekend had in fact been the result of a ransomware attack where cybercriminals stole employee and customer data.

The supposition is that the MD of Merseyrail’s Office 365 email account had been compromised the hackers in an attempt to spread word of the security breach, and apply pressure on the organisation to pay up.

If true, it’s certainly quite an audacious move to hack the email account of the boss of a corporate victim, and use that as a platform for informing the world of a security breach.

Sign up to our free newsletter.
Security news, advice, and tips.

Merseyrail has now confirmed to Bleeping Computer that it has been the recent target of a cyber attack, and that it has informed the Information Commissioner’s Office (ICO). Merseyrail says that it is continuing to investigate the incident, and will not comment on the how its managing director managed to have his corporate email account compromised.

The breach comes at a bad time for Merseyrail, which is struggling financially as a result of the Covid-19 pandemic.

At the time of writing there is no mention of a cyber attack on Merseyrail’s website.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.