Bus on London street showing cyber attack on TfL

TfL Cyber Attack Disrupts Services, Forcing Staff to Work From Home

An ongoing cyber attack targeting Transport for London (TfL) has disrupted critical IT systems, limiting access to Dial-a-Ride and other services.

TfL manages the UK’s capital’s transportation systems, including buses, trains, and underground trams. It also sets transportation policies and maintains the city’s critical transport infrastructure.

Alone, the London Underground, or the Tube, handles over 5 million daily passengers, highlighting the crucial role TfL plays in moving workers across the capital.

TfL detected suspicious activity by an unauthorized entity attempting to gain access to its internal computer network. It promptly responded by shutting down impacted computer systems to limit the threat actor’s access.

“This ongoing cyber-attack highlights how crucial preparedness is in reacting to the increasing volumes and sophistication of recent cyber threats,” said Haris Pylarinos, Founder and CEO at Hack The Box. “Security teams today must combine technical skills, intelligent decision-making, and agility in their response. This takes more than advanced technology – requiring high coordination where every single employee knows their role during an incident.”

Pylarinos recommended “effective response protocols, clear communication channels, and predefined roles” to “maintain high-performing teams.”

TfL also introduced measures to ensure its internal operations continued smoothly and engaged the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC).

“We have introduced a number of measures to our internal systems to deal with an ongoing cybersecurity incident,” said Shashi Verma, TfL’s chief technology officer.

In addition, the Southwark, London-based transport authority has notified the UK’s Information Commissioner’s Office (ICO), which demands a data breach notification within 72 hours of detecting a cyber incident.

Customer data was unaffected by the TfL cyber attack

TfL initially assessed that the “ongoing cyber security incident” had no impact on customer data or transportation services.

“Although we’ll need to complete our full assessment, at present, there is currently no evidence that any customer data has been compromised.

“There is currently no impact on TfL services and we are working closely with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to respond to the incident.”

Despite the transport authority’s encouraging assessment, the impacts of a cyber attack usually become apparent days, weeks, or even months after the incident.

If the TfL cyber attack leaked customer data, the impacts could be significant, given that approximately 8.4 million people use London’s transport systems daily and have provided personal information.

Additionally, a disruptive cyber attack could plunge the city into a standstill due to its vital role in daily transportation.

Meanwhile, TfL says it would “continue to assess the situation throughout and after the incident,” which could significantly change its initial assessment.  TfL has also reportedly requested staff to work from home as it continues investigating the incident.

Warning that it could not provide further comments due to the ongoing investigation, the NCSC has also confirmed it was working with the transport authority “to fully understand” the impacts of the TfL cyber attack.

So far, no cybercrime group has taken responsibility for the TfL incident, and the transport authority has not availed that information. TfL has also not disclosed the nature of the incident, although widespread system disruptions suggest a botched ransomware attack.

Some reports say the attacker targeted a network appliance, and TfL had deactivated VPN except for employees working from home. In addition, it restricted inbound connections except for some crucial systems.

TfL cyber attack impacts disabled users

London’s transport authority says the cyber attack has impacted Dial-a-Ride, a door-to-door transport service for mobility-impaired people.

According to TfL, the service was “unable to process any new booking requests,” and staff had “limited access to systems and email,” thus unable to respond to customers’ queries.

Currently, essential bookings are possible by phone while TfL struggles to restore its full capacity. Oyster photocards and Zip card application services are unavailable.

Although the cyber attack impacted disabled users’ services, it likely targeted the transport authority’s internal systems to cause widespread disruptions or encrypt data for extortion.

Cybercriminals usually indiscriminately target organizations, including those assisting society’s most vulnerable, such as children’s hospitals, blood donation centers, and cancer facilities.

In June 2024, London hospitals canceled cancer operations after a Russian cyber attack disrupted NHS services that millions of people depend on.

Another cyber attack on critical national infrastructure

The United Kingdom’s critical national infrastructure (CNI) is a top target for Russian state-sanctioned and pro-government hacking groups due to the country’s prominent role in the ongoing Ukraine conflict.

Similarly, Russian-based financially motivated threat actors frequently target the country’s organizations, including critical infrastructure entities.

In July 2023, TfL disclosed that it leaked the personal information of 13,000 customers when the Clop ransomware gang compromised an externally hosted MOVEit, a managed file transfer (MFT) appliance.