Millions of people who provided personal data, like a mobile phone number or an email account, to Greece’s state-run post office (ELTA) continue to receive deceptive electronic messages designed to trick them into sharing their bank or payment platform usernames and passwords more than two years after ELTA’s mainframe computer system was hacked.

Phone messages and emails sent by hackers claim that the recipient has a parcel awaiting delivery and that all they have to do is pay customs fees or warehouse expenses. If a user clicks on the deceptive link included in the message, they will be asked for their codes.

The cyber-attack, which reportedly uses what experts call “zero day malware” and the “https reverse shell” technique, occurred in March 2022. It resulted in the theft of data corresponding to 4.6 million people who had provided the post office with such information in the past. In Greece, the post office also doubles as a credit institution, where certain categories of beneficiaries have their pensions deposited.

According to the authorities, the data was subsequently trafficked clandestinely over the “dark web”.

The incident led to Greece’s independent Data Protection Agency (DPA) recently fining ELTA nearly three million euros, one of the highest penalties it has ever imposed.

At the time of the incident, ELTA’s leadership had referred to a “limited attack”. The new senior management team imposed in the wake of the leak maintain that the post office now has state-of-the-art IT systems installed with the highest security rating.