Transport for London confirms 5,000 users' bank data exposed, pulls large chunks of IT infra offline
- Reference: 1726152890
- News link: https://www.theregister.co.uk/2024/09/12/transport_for_londons_cyber_attack/
- Source link:
TfL dropped the claim it made earlier this week that there had been "no evidence" of customer data being compromised in its cyber incident page. A further update has now [1]confirmed that, yes, some customer data might indeed have been accessed. According to TfL: "Some Oyster card refund data may have been accessed. This could include bank account numbers and sort codes for a limited number of customers (around 5,000)."
The UK agency has said it will contact affected customers as soon as possible "as a precautionary measure."
[2]
While the network continues to run, large chunks of the TfL IT infrastructure have been pulled offline. Live tube arrival information isn't available, applications for new Oyster photocards have been suspended, and refunds for incomplete pay-as-you-go journeys made using contactless. Staff have limited access to systems.
[3]
[4]
The last point is significant since TfL is undertaking an all-staff identity check and resetting 30,000 employee passwords in person. According to the [5]TfL Employee Hub , staff details have been accessed as well as those of customers, although right now TfL only suspects email addresses, job titles, and employee numbers have been looked at.
[6]The fingerpointing starts as cyber incident at London transport body continues
[7]Transport for London confirms cyberattack, assures us all is well
[8]Down and out: Aegon's pension pothole and TfL's mystery 'maintenance'
[9]'IT failure' hits blood tests as another critical incident declared by NHS
The Register understands that the incident is very much ongoing. There has also been an emergency meeting for management regarding the situation and a change in the physical security stance around TfL offices and facilities.
Physical security has, however, been beefed up by the sounds of it, although the very harrassed-sounding PR person said it was to "draw a line under it all."
TfL is no stranger to identity theft and malware. [10]In 2023 , in an unrelated incident, a London Underground worker, using a keylogger, was able to give himself discounts and access the accounts of colleagues. The worker, Lewis Kelly, [11]narrowly avoided a custodial sentence at the time. ®
Updated to add at 1515 UTC
The National Crime Agency [12]confirmed just minutes ago that a teenager was arrested last week in Walsall as part of the investigation into the attack. The NCA said, "The 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on 1 September."
The teenager, who was arrested on September 5, was questioned by NCA officers and then bailed.
[13]
The cybercrime cops said they were leading the law enforcement response to the attack on TfL, working closely with the National Cyber Security Centre – an offshoot of British intelligence nerve center GCHQ – as well as with the transport body itself "to manage the incident and minimize any risks."
NCA deputy director Paul Foster, head of the agency's National Cyber Crime Unit, said: "Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.
"The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing."
Get our [14]Tech Resources
[1] https://tfl.gov.uk/campaign/cyber-security-incident
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://tflemployee.com/
[6] https://www.theregister.com/2024/09/05/the_fingerpointing_starts_as_the/
[7] https://www.theregister.com/2024/09/03/tfl_cyberattack/
[8] https://www.theregister.com/2024/09/10/aegon_tfl_maintenance/
[9] https://www.theregister.com/2024/09/11/nhs_pathology_services_battered_again/
[10] https://www.mylondon.news/news/east-london-news/london-underground-worker-hacked-colleagues-26254395
[11] https://www.mylondon.news/news/east-london-news/london-underground-worker-gave-himself-28424380
[12] https://www.nationalcrimeagency.gov.uk/news/arrest-made-in-nca-investigation-into-transport-for-london-cyber-attack
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuNkhrohtnBbGrLsxKazsgAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Re: Mind the gap.....
They were trying to find a Perl.
Re: Mind the gap.....
"Line managers/people leaders will use WhatsApp groups to share updates "
Let's hope that's not been popped as well as their corporate AD, eh? Most people will be there with their *personal* mobiles...
I'm quite sure this will expand beyond the only 5,000 users data leaked.....
At least TfL appear to be doing something about it!
Also this: https://www.bbc.co.uk/news/articles/c4gqg2elkj4o
My god. It *was* a script kidz. A *teenager* at that.
In-person password resets?
Is their SSL certificate compromised? Or their web infra so compromised they can't bring it online?
Suggests they don't know who works for them any more, and what their access levels should be, so are going to fall back to physical company ID cards, and rebuild their directory from there.
It's a large workforce
Faking someone's voice over the phone is relatively easy, and wouldn't need to be particularly accurate to convince an overworked IT helpdesk phone support bod.
In-person is a lot harder to fake, especially as everyone already has a workplace photo ID.
Almost everyone starts their shift at one of the depots, so it's not actually a hardship as they're going to be there anyway.
Press Release
From today's TfL Press Release regarding the ongoing cyber security incident:
"Although there has been very little impact on our customer so far, the situation continues to evolve..."
That may be so, but Eddie is getting very annoyed.
could include bank account numbers and sort codes
TfL employees will have to do what I often had to when I commuted across central London and half the Northern Line was up the spout again : travel home via the Bank branch.
Motorists will pay
Glad I don’t drive in London.
When the ICO fine them, Mr K will need to increase CC, ULEZ, parking fine, new tolls etc to make up the shortfall
Re: Motorists will pay
The ICO have acknowledged the issues with fining the public sector (and the same issues apply to not for profit orgs undertaking public services), and will use their "discretion" to reduce fines. I have spent the last 5 mins thinking of alternatives and can not think of any,
Re: Motorists will pay
Fire the top 5 levels of managment?
Re: Motorists will pay
Make them do all their travelling around London by Bus?
Re: Motorists will pay
The buses in London are good; they should try Cornwall...
Pirates of Penzance icon -->
Re: Motorists will pay
Fine the top management instead.
Perhaps the sum of the last two years bonuses.
Surprised? No
I assume that any information about me, anywhere on-line, has been, or will be hacked or stolen.
At this point it's simply inevitable .
Can it be stopped? I'm inclined to think that most IT infrastructure has grown to the point where no-one entirely understands it. The size and complexity makes it a great target for hackers and governments.
Until something really, really , REALLY massive happens I can't see that changing.
Re: Surprised? No
@barry
Well given 26 BILLION records were leaked earlier this year, not sure how much more massive it needs to get.
Oh your talking Panama Papers type massive leak, not peasant class level.
17 year old arrested for the hack?
How does a 17 year old amass the knowledge to hack through the multiple security layers between the data and the culprit?
even if security is lax, it can't have been trivial.
Either the culprit had access to the systems via a relative leaving a computer unlocked, they had the credentials or where just a patsy for a more skilled entity with the skills, expertise & experience to do this.
at a guess they'd need to circumvent AD, 2fa, vpn appliance. None of that is trivial and should be far far beyond a script kiddie.
and then bailed
Did he get away? Bailing in US means to hotfoot it out of there, never to be seen again.
Re: and then bailed
Don't the US have bail bonds and bounty hunters and stuff? I'm pretty sure bail is a thing in the US. Or is just that you don't use the term "bailed".
Or was that Lee Majors show The Fall Guy about a stuntman cum bounty hunter not real? :-)
Mind the gap.....
... in our security protocols.
Hack into TFLs inevitably large databank, and the world is your Oyster