Correspondence intended for the Presidential Palace, ministries, embassies, the Police and the Central Prisons has surfaced on the dark web in the form of screenshots, Politis.com.cy has learned.
The Cyprus Post suffered a cyberattack, leading to the leak of data online. Among the files published are screenshots of official mail exchanges addressed to multiple government agencies and diplomatic missions.
According to preliminary findings, the breach was achieved by exploiting a vulnerability in the organisation’s “Thalis” information system, which handles both incoming and local postal deliveries.
The leaked data reportedly includes internal network details, IP addresses, user credentials, staff and customer emails, as well as package, correspondence and invoicing information from various public and private entities.
Additional information appears to include physical addresses, phone numbers of businesses and individuals, internal financial transaction records and tracking codes. Some of the compromised correspondence involved sensitive state recipients such as the Presidential Palace, the Ministries of Justice, Finance and Health, the Police, the Central Prisons, and embassies of countries including Ukraine, Saudi Arabia, Russia, Israel, Spain, Romania and France.
In a statement issued on 30 September 2025, Cyprus Post announced that the “Thalis” system had been deactivated for security reasons.
Postal Services Director Pavlos Pavlidis confirmed the cyberattack in comments to Politis.com.cy, describing the incident as “concerning.” He assured, however, that no sensitive personal data has been confirmed leaked, noting that the hacker did not gain access to the central database of the Postal Services.
An investigation is ongoing, and the Commissioner for Personal Data Protection, Maria Christofidou, has been formally notified of the breach.
