Was the email account of Merseyrail’s MD hacked to spread word of ransomware attack?

Was the email account of Merseyrail's MD hacked to spread word of ransomware attack?

Here’s a weird one.

Bleeping Computer reports that Merseyrail, the railway network serving Liverpool and the surrounding area, has been hit by ransomware.

So far, so not extraordinary.

But what makes this story somewhat different is that Lawrence Abrams at Bleeping Computer says that the first he knew of Merseyrail being attacked was when he (alongside various British newspapers and staff of the transport service) received an email on April 18 seemingly sent from the account of Merseyrail managing director Andy Heath.

The email, with the subject line “Lockbit Ransomware Attack and Data Theft,” claimed that an outage the previous weekend had in fact been the result of a ransomware attack where cybercriminals stole employee and customer data.

The supposition is that the MD of Merseyrail’s Office 365 email account had been compromised the hackers in an attempt to spread word of the security breach, and apply pressure on the organisation to pay up.

If true, it’s certainly quite an audacious move to hack the email account of the boss of a corporate victim, and use that as a platform for informing the world of a security breach.

Sign up to our free newsletter.
Security news, advice, and tips.

Merseyrail has now confirmed to Bleeping Computer that it has been the recent target of a cyber attack, and that it has informed the Information Commissioner’s Office (ICO). Merseyrail says that it is continuing to investigate the incident, and will not comment on the how its managing director managed to have his corporate email account compromised.

The breach comes at a bad time for Merseyrail, which is struggling financially as a result of the Covid-19 pandemic.

At the time of writing there is no mention of a cyber attack on Merseyrail’s website.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.