Ireland's Revenue Commissioners has confirmed that 137 of its employees were caught up in a third-party data breach stemming from a ransomware attack against franking machine supplier Pitney Bowes. An internal email to staff warned that ransom negotiations "did not go well" and that some stolen records have already been published online.
What Happened
In late April 2026, Revenue's internal security team distributed an all-staff email disclosing that personal work information belonging to 137 employees had been compromised through Pitney Bowes, a long-standing supplier of franking machines used across Revenue offices. According to the message, attempts to contain the breach through negotiation with the attackers failed, and a portion of the exfiltrated dataset has already surfaced on the open web. Revenue stated home addresses were unlikely to be affected unless a staff member operated a machine from a residential location. The incident was reported publicly on 18 May 2026.
What Was Taken
The compromised records reportedly include:
- Full names of affected Revenue staff
- Work email addresses
- Job titles
- Office phone numbers
- Office addresses (home addresses generally excluded)
Revenue's internal message stated that no passwords were stolen during the incident. However, the agency reinforced its standing policy that staff must never reuse Revenue passwords on external systems, including those operated by trusted suppliers, an indication of concern about secondary credential abuse.
Why It Matters
The incident illustrates how a third-party supplier with seemingly low-risk function, in this case a postage and franking equipment vendor, can become the vector for exposing employees of a national tax authority. Revenue staff hold elevated trust positions and handle sensitive financial and personal data of Irish citizens and businesses, making them high-value targets for follow-on phishing, business email compromise, and social engineering. The publication of exfiltrated records online raises the long-tail risk that this data will be ingested into broader threat actor tooling for years to come.
The Attack Technique
The root incident was a ransomware attack against Pitney Bowes, a recurring target for extortion crews over recent years. Based on Revenue's internal communication referencing failed negotiations and the leaking of records online, the operation appears consistent with a double-extortion model in which attackers encrypt systems while simultaneously threatening to publish stolen data if payment is refused. The specific ransomware affiliate or strain behind the Pitney Bowes intrusion has not been disclosed in the Revenue communication. The compromised data was sourced from supplier records linking Revenue franking machine deployments to individual staff contacts.
What Organizations Should Do
- Audit franking, mailing, and back-office supplier relationships to identify what employee data third parties hold and under what retention terms.
- Enforce credential hygiene by mandating unique, non-reused passwords for all corporate accounts, backed by enterprise password managers and SSO where feasible.
- Deploy phishing-resistant MFA (FIDO2/WebAuthn) on staff accounts to neutralise the impact of harvested email addresses and job titles in spear-phishing campaigns.
- Brief affected staff proactively on the specific scam patterns likely to follow, including vendor impersonation, courier fraud, and IT helpdesk pretexting.
- Monitor leak sites and paste forums for the appearance of staff records, and feed identified entries into anti-phishing and identity protection workflows.
- Tighten vendor contracts to require breach notification timelines, encryption of personal data at rest, and minimisation of staff PII collected during onboarding.
Sources: Revenue staff warned not to use work passwords elsewhere after 137 staff caught in data breach