TfL revises statement on customer data theft after cyber-attack

The incident continues to disrupt online services

Transport for London (TfL) has retracted its previous claim that there is no evidence of customer data being compromised in the ongoing cyberattack.

The incident, which began over a week ago, has disrupted several TfL online and digital services while leaving the core transportation network unaffected.

In an update on its cyber incident page, TfL acknowledged that the incident remains ongoing and that the security of its systems and customer data is a top priority.

However, the update removed a line that previously said that there was "no evidence that any customer data has been compromised."

The removal of that specific line raises questions about the extent of the breach and the potential impact on TfL's customers.

When asked by TechCrunch if TfL has the technical capabilities to assess what data may have been exfiltrated, a spokesperson declined to provide a response.

Despite the update, TfL has not released any additional information regarding the nature of the cyberattack or the steps being taken to address the situation.

The incident, first reported on 2nd September, prompted TfL to seek assistance from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The ongoing attack has resulted in the temporary suspension of Oyster photocard applications, including Zip cards, and limited access to journey history for contactless pay-as-you-go users.

Refunds for incomplete contactless journeys are currently unavailable. TfL has assured Oyster customers that they can still self-serve online.

Additionally, TfL's staff have faced limitations in accessing internal systems and emails, leading to delays in responding to customer inquiries.

TfL's Dial-a-Ride service, which provides door-to-door transport for those with long-term disabilities, has also been hit by the cyberattack. The transport provider has stated that they are currently processing only a limited number of booking requests due to system constraints.

Despite the ongoing challenges, London's transport network, including the underground buses, trams, and overground services, continues to operate with minimal disruption.

Whilst the exact nature of the cyber-attack remains unclear, reports suggest that the primary target was TfL's backroom systems at its corporate headquarters.

Andrew Brown, MD at software developer Propel Tech, highlighted the vulnerabilities exposed by the attack and the need for further action.

He pointed out that the decision to ask employees to work remotely indicates that "there is still a lot of work to be done."

Shashi Verma, TfL's Chief Technology Officer, has reassured the public, stating, "We will continue to keep our customers and our staff updated on the incident as part of this ongoing work and thank them for their patience as we respond to this incident."

The attack comes just over a year after TfL's systems were impacted by a breach in July 2023, when the Cl0p ransomware group reportedly hacked a third-party supplier, exposing the contact details of 13,000 customers. At that time, the organisation said that no financial data was compromised in the breach.