News: 1726152890

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Transport for London confirms 5,000 users' bank data exposed, pulls large chunks of IT infra offline

(2024/09/12)


Transport for London's ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees' passwords will need to be reset via in-person appointments.

TfL dropped the claim it made earlier this week that there had been "no evidence" of customer data being compromised in its cyber incident page. A further update has now [1]confirmed that, yes, some customer data might indeed have been accessed. According to TfL: "Some Oyster card refund data may have been accessed. This could include bank account numbers and sort codes for a limited number of customers (around 5,000)."

The UK agency has said it will contact affected customers as soon as possible "as a precautionary measure."

[2]

While the network continues to run, large chunks of the TfL IT infrastructure have been pulled offline. Live tube arrival information isn't available, applications for new Oyster photocards have been suspended, and refunds for incomplete pay-as-you-go journeys made using contactless. Staff have limited access to systems.

[3]

[4]

The last point is significant since TfL is undertaking an all-staff identity check and resetting 30,000 employee passwords in person. According to the [5]TfL Employee Hub , staff details have been accessed as well as those of customers, although right now TfL only suspects email addresses, job titles, and employee numbers have been looked at.

[6]The fingerpointing starts as cyber incident at London transport body continues

[7]Transport for London confirms cyberattack, assures us all is well

[8]Down and out: Aegon's pension pothole and TfL's mystery 'maintenance'

[9]'IT failure' hits blood tests as another critical incident declared by NHS

The Register understands that the incident is very much ongoing. There has also been an emergency meeting for management regarding the situation and a change in the physical security stance around TfL offices and facilities.

Physical security has, however, been beefed up by the sounds of it, although the very harrassed-sounding PR person said it was to "draw a line under it all."

TfL is no stranger to identity theft and malware. [10]In 2023 , in an unrelated incident, a London Underground worker, using a keylogger, was able to give himself discounts and access the accounts of colleagues. The worker, Lewis Kelly, [11]narrowly avoided a custodial sentence at the time. ®

Updated to add at 1515 UTC

The National Crime Agency [12]confirmed just minutes ago that a teenager was arrested last week in Walsall as part of the investigation into the attack. The NCA said, "The 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on 1 September."

The teenager, who was arrested on September 5, was questioned by NCA officers and then bailed.

[13]

The cybercrime cops said they were leading the law enforcement response to the attack on TfL, working closely with the National Cyber Security Centre – an offshoot of British intelligence nerve center GCHQ – as well as with the transport body itself "to manage the incident and minimize any risks."

NCA deputy director Paul Foster, head of the agency's National Cyber Crime Unit, said: "Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.

"The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing."

Get our [14]Tech Resources



[1] https://tfl.gov.uk/campaign/cyber-security-incident

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://tflemployee.com/

[6] https://www.theregister.com/2024/09/05/the_fingerpointing_starts_as_the/

[7] https://www.theregister.com/2024/09/03/tfl_cyberattack/

[8] https://www.theregister.com/2024/09/10/aegon_tfl_maintenance/

[9] https://www.theregister.com/2024/09/11/nhs_pathology_services_battered_again/

[10] https://www.mylondon.news/news/east-london-news/london-underground-worker-hacked-colleagues-26254395

[11] https://www.mylondon.news/news/east-london-news/london-underground-worker-gave-himself-28424380

[12] https://www.nationalcrimeagency.gov.uk/news/arrest-made-in-nca-investigation-into-transport-for-london-cyber-attack

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[14] https://whitepapers.theregister.com/



Mind the gap.....

spireite

... in our security protocols.

Hack into TFLs inevitably large databank, and the world is your Oyster

Re: Mind the gap.....

Sudosu

They were trying to find a Perl.

Re: Mind the gap.....

Tom Chiverton 1

"Line managers/people leaders will use WhatsApp groups to share updates "

Let's hope that's not been popped as well as their corporate AD, eh? Most people will be there with their *personal* mobiles...

Guy de Loimbard

I'm quite sure this will expand beyond the only 5,000 users data leaked.....

At least TfL appear to be doing something about it!

Also this: https://www.bbc.co.uk/news/articles/c4gqg2elkj4o

Tom Chiverton 1

My god. It *was* a script kidz. A *teenager* at that.

Anonymous Coward

In-person password resets?

Is their SSL certificate compromised? Or their web infra so compromised they can't bring it online?

Tom Chiverton 1

Suggests they don't know who works for them any more, and what their access levels should be, so are going to fall back to physical company ID cards, and rebuild their directory from there.

It's a large workforce

Richard 12

Faking someone's voice over the phone is relatively easy, and wouldn't need to be particularly accurate to convince an overworked IT helpdesk phone support bod.

In-person is a lot harder to fake, especially as everyone already has a workplace photo ID.

Almost everyone starts their shift at one of the depots, so it's not actually a hardship as they're going to be there anyway.

Press Release

f4ff5e1881

From today's TfL Press Release regarding the ongoing cyber security incident:

"Although there has been very little impact on our customer so far, the situation continues to evolve..."

That may be so, but Eddie is getting very annoyed.

could include bank account numbers and sort codes

Howard Sway

TfL employees will have to do what I often had to when I commuted across central London and half the Northern Line was up the spout again : travel home via the Bank branch.

Motorists will pay

Kjm35

Glad I don’t drive in London.

When the ICO fine them, Mr K will need to increase CC, ULEZ, parking fine, new tolls etc to make up the shortfall

Re: Motorists will pay

John_Ericsson

The ICO have acknowledged the issues with fining the public sector (and the same issues apply to not for profit orgs undertaking public services), and will use their "discretion" to reduce fines. I have spent the last 5 mins thinking of alternatives and can not think of any,

Re: Motorists will pay

Anonymous Coward

Fire the top 5 levels of managment?

Re: Motorists will pay

EvilDrSmith

Make them do all their travelling around London by Bus?

Re: Motorists will pay

Korev

The buses in London are good; they should try Cornwall...

Pirates of Penzance icon -->

Re: Motorists will pay

Richard 12

Fine the top management instead.

Perhaps the sum of the last two years bonuses.

Surprised? No

Barry Rueger

I assume that any information about me, anywhere on-line, has been, or will be hacked or stolen.

At this point it's simply inevitable .

Can it be stopped? I'm inclined to think that most IT infrastructure has grown to the point where no-one entirely understands it. The size and complexity makes it a great target for hackers and governments.

Until something really, really , REALLY massive happens I can't see that changing.

Re: Surprised? No

IGotOut

@barry

Well given 26 BILLION records were leaked earlier this year, not sure how much more massive it needs to get.

Oh your talking Panama Papers type massive leak, not peasant class level.

17 year old arrested for the hack?

tip pc

How does a 17 year old amass the knowledge to hack through the multiple security layers between the data and the culprit?

even if security is lax, it can't have been trivial.

Either the culprit had access to the systems via a relative leaving a computer unlocked, they had the credentials or where just a patsy for a more skilled entity with the skills, expertise & experience to do this.

at a guess they'd need to circumvent AD, 2fa, vpn appliance. None of that is trivial and should be far far beyond a script kiddie.

and then bailed

chivo243

Did he get away? Bailing in US means to hotfoot it out of there, never to be seen again.

Re: and then bailed

John Brown (no body)

Don't the US have bail bonds and bounty hunters and stuff? I'm pretty sure bail is a thing in the US. Or is just that you don't use the term "bailed".

Or was that Lee Majors show The Fall Guy about a stuntman cum bounty hunter not real? :-)

A candidate is a person who gets money from the rich and votes from the
poor to protect them from each other.