tfl cyber attack

Updated Thursday, 12 September. It is now known that passenger data has been exposed

Transport for London (TfL) has been hit with a cyber attack impacting commuters across the the UK capital.

In an email shared with commuters yesterday evening, the London transport company said it had fallen victim to a "cyber security incident’  that is currently ‘ongoing’. 

The statement assured customers that there is currently ‘no evidence that any customer data has been compromised’ and so far there has been no impact on TfL services. However, the investigation is still ongoing. 

"Although we'll need to complete our full assessment, at present, there is currently no evidence that any customer data has been compromised," a TfL spokesperson said. 

"There is currently no impact to TfL services and we are working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident."

Adam Pilton, Senior Cybersecurity Consultant at CyberSmart and former Detective Sergeant investigating cybercrime told EM360Tech:

‘Interestingly they've declared that there is no evidence that any customer data has been compromised and there has been no impact on their services. This makes me question why they've decided to release this public statement at this point.’’

TFL say that they have ‘taken immediate action to prevent any further access’ to their systems, as well as working closely with ‘relevant government agencies to respond to the incident’. They have not confirmed the nature of the incident and or how the team are addressing the attack.

Shashi Verma, Chief Technology Officer at TFL said that they have ‘introduced a number of measures’ to internal systems. He confirmed that they are still completing their ‘full assessment’ and are working with the National Crime Agency and National Cyber Security Centre.

'Work from home if possible'

According to reports, backroom systems at the organization's corporate headquarters have been affected, and staff were asked to work from home if possible.

This statement “suggests that the attacker may still be in their network” Pilton continued.

“TfL is the heartbeat of London commuting. With this comes an incentive for attackers to break through the barriers and cause severe disruption or access the treasure trove of personal data that it holds. 

"Like any large, complex organisation, TfL must be mindful of the gap in its cyber hygiene standards. Just like any other transport provider, it will operate a wide range of cyber-physical systems (CPS). Each one of these must be continuously monitored with visibility into all systems to quickly detect and mitigate threats.”Andrew Lintell, General Manager, EMEA at Claroty told EM360Tech.

Why have TFL been targeted? 

TFL operates the capital city’s transport network and is most well known for the underground tube system, but it is also responsible for other public transport including overground rail services, buses, trams and even a cable car. Aside from this, the massive government-aligned body operates and maintains the roads around the city as well as traffic lights, river piers and Santander Cycles. 

TfL also holds valuable data including passenger information, financial records, and operational details.

Simon Newman, Co-Founder of Cyber London and International Cyber Expo Advisory Council Member told EM360 that because “The millions of customers who use TfL services every day will undoubtedly be worried by this attack. Although TfL have been quick to point out that there isn’t any evidence to suggest that customer data has been compromised, details of the incident are still emerging. This incident highlights the importance of having a robust Critical Incident Plan in place which has enabled TfL to respond quickly, notify customers and bring in external experts from the National Crime Agency and National Cyber Security Centre. TfL customers should monitor any suspicious activity on their account and change their password.

The Government recently announced plans to introduce a new Cyber Security and Resilience Bill to bring UK laws up to date. A key aim of the Bill is to protect more digital services and supply chains to reduce the number of attacks against critical public services in the UK.”

TFL have confirmed that they will issue a new update with more information when the incident is resolved. They will likely contact anyone directly affected by the incident personally.

“The recent cyberattack on Transport for London shows the persistent threat that all organisations face. Although TfL said that there's currently no indication that customer data has been compromised, the attack shows how important it is that data is managed properly. Every entity that collects and manages data must prioritise its protection. Implementing data-centric security is paramount; this approach focuses on safeguarding the data itself rather than just the perimeter defences. Moreover, adopting a zero-trust architecture can further enhance security. This model operates on the principle of "never trust, always verify," requiring continuous validation of access rights and assuming that threats can come from both outside and inside the network. This means that even if an incident does occur, data remains protected.” Erfan Shadabi, Cybersecurity Expert at comforte AG, advised.