Top 5 Things to Know About the Sophisticated Cyber Attack on Tfl
Date: 17 September 2024
The attacks on critical infrastructure and public service organisations don’t seem to be stopping. Healthcare and education already make headlines every month and public transportation doesn’t seem to be far behind now.
The massive attack on Transport for London (TfL) is yet another resounding reminder of just how important protecting critical infrastructure from cyber crime is. While the disruption to public services in this case was initially thought to be far from damaging, the repercussions of the sophisticated attack soon began to unravel.
Differently abled passengers weren’t able to use a dedicated transport service by Tfl. 5,000 customers are now believed to have had their data compromised. A 17-year old man appeared to be behind the attack. But was later allowed to be bailed.
This cyber attack like several others is once again a reminder for organisations to urgently prioritise their cyber resilience. Cyber Incident Response Planning has taken centre stage yet again as has the need to consistently test one’s ability to manage digital disruptions. Cyber Attack Tabletop Exercises are the only real solution here. They allow businesses to test their ability to handle a cybersecurity event in a simulated attack setting. This enhances the Incident Response team’s real-world skills, decision-making and makes the Incident Response Plan steps a part of their muscle memory.
TfL Cyber Attack: What We Know So Far
The TfL attack underscores the need for continuous investment in cybersecurity to protect both operational systems and customer data. Here’s a quick roundup of everything that’s known about this large scale attack:
- Thousands of Customers’ Details Compromised: Transport for London (Tfl) has revealed that the cyber attack, discovered on Sunday, September 1, may have compromised the personal information of thousands of customers, including their home addresses and banking details. TLF estimates that 5,000 customers’ information might have been stolen.
Initially, Tfl said there was no indication that data was compromised. However, it did implement measures to limit email access and employee systems as a containment effort. - Impact on Riders: While Tfl said that its services had not been impacted when the attack was identified two weeks ago, the situation has developed rapidly since.
The first to be impacted were differently abled passengers who couldn’t use the Dial-A-Ride service in the aftermath of the attack. Dial-a-Ride offers door-to-door transport for individuals with long-term disabilities. It uses accessible buses for those unable to use standard public transportation.
Tfl also shut down some services as a precautionary measure. This included Oyster Card renewals and access to live Tube departure boards.
The attack also delayed contactless payments at eight train stations in London. As a result of this disruption, the initiative to extend contactless payment options to additional National Rail stations beyond London has been postponed. - Full System Reset: In order to deal with the cyber attack, Tfl is doing a complete system rest. This means it has invited its staff to attend an in-person password reset and identity verification process. Until they undergo this reset, employees will lose access to their OneLondon accounts.
“There are around 30,000 members of staff who need their OneLondon account passwords reset. We [have] a process in place to ensure that the most critical staff to the operation of our network are prioritised,” said TfL on its employee hub. - 17-year old Hacker Questioned: It appears that Tfl was hacked by a 17-year old based in Walsall, England. As per the National Crime Agency (NCA), the teenage threat actor was arrested for Computer Misuse Act offences on September 5. However, apparently he was later released on bail after questioning.
Allegedly, this teenager exfiltrated TLF passenger data through a variety of sources. Approximately 5,000 passengers may have had their bank details, including sort codes and account numbers, exposed through data linked to Oyster card refunds.
Some who had signed up for TfL’s email notifications might have had their personal details, such as names, email addresses, and home addresses, compromised. - Tfl’s Response: Shashi Verma, the Chief Technology Officer at Tfl said that the organisation will directly contact those customers who have been affected by the data breach.
He said, “We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.”
Tfl also said it has introduced enhanced IT security measures to safeguard its critical systems and ensure that all essential operations continue without disruption.
The NCA’s Cyber Crime Unit also commended Tfl for its swift response. Paul Foster, head of the NCA's National Cyber Crime Unit, said: "The swift response by Tfl following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing."