UK: ‘There remains no impact to our public transport services and no evidence that any customer data has been compromised’, Transport for London said on September 6 when it issued an update on an ongoing cybersecurity incident.
‘We continually monitor who is accessing our systems to ensure only those authorised can gain access’, said Chief Technology Officer Shashi Verma. ‘We identified some suspicious activity on Sunday [September 1] and took action to limit access. A thorough investigation is currently taking place and we are working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident.’
A NCSC spokesperson told Metro Report International ‘we are working with Transport for London, alongside law enforcement partners, to fully understand the impact of an incident’.
TfL has released very few details, but on September 5 specialist IT news website The Register reported that the response has ’all the hallmarks of a reaction to a ransomware attack or exfiltration attempt’.
TfL said measures being taken include temporarily restricting access to journey history for pay-as-you-go contactless customers, as well as limited access to some live travel data via apps, TfL Go and the TfL website, including next train information and the TfL JamCams.
TfL has also temporarily restricted access to the photocard portal which allows people to apply for travel concessions including the Zip Photocard, 16+ and 18+ Photocard and the 60+ Oyster photocard.
The booking system for Dial a Ride was also temporarily unavailable earlier in the week. Existing bookings were still fulfilled, and essential bookings can now be made by phone.
Commenting on the incident, Dirk Schrader, VP of Security Research at Netwrix said it was hard to assess the implications without more information, but ‘as a part of their attack remediation strategy, TfL asked its employees to work from home. This step should help limit the attack’s spread to users’ endpoints and avoid further privilege escalation if there is a solid network structure that allows the separation of remote workers from the affected systems.’
