Listen here on your chosen podcast platform.
The cyber attack that hit Transport for London a week ago is much worse than first thought, TfL admitted on Thursday as it was revealed a teenager has been arrested in connection with the hack.
Names and phone numbers of passengers are thought to have been obtained, including some personal data from Oyster cards and Contactless bank cards used to make journeys on the capital’s public transport network.
The hack is understood to have potentially exposed the bank account details of about 5,000 passengers - either via activity on their Oyster card account or refund data. This includes account numbers and sort codes.
In addition, an unknown number of passengers who had signed up to TfL email alerts – for example, for regular email bulletins on the Elizabeth line or a particular Tube line – are thought to have had their name, home address or email account exposed.
TfL said all passengers affected would be contacted directly. It said it was taking immediate measures to improve online security.
The announcement came as the National Crime Agency revealed a 17-year-old male has been arrested on suspicion of Computer Misuse Act offences in relation to the attack.
The teenager, who was arrested in Walsall on 5 September, was questioned by NCA officers and bailed.
Sources told the Standard that other hackers were thought to be involved.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “We have been working at pace to support Transport for London following a cyber attack on their network, and to identify the criminal actors responsible.
“Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.
“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing.
“The NCA leads the UK’s response to cybercrime. We work closely with partners to protect the public by ensuring cyber criminals cannot act with impunity, whether that be by bringing them before the courts or through other disruptive and preventative action.”
The cyber attack has wider implications for the roll-out of Contactless train travel outside London.
TfL has been fitting Contactless ticket barriers to about 100 stations across the Home Counties, with the latest tranche due to be switched on on September 22. This roll-out has now been paused.
Stations such as Basildon, Berkhamsted, Sevenoaks and Southend Central will be affected.
It came as City Hall staff were told to switch off their computers at 2pm on Thursday as the entire wifi system was rebooted. Visitors were told to log out of the wifi network.
Last week TfL commissioner Andy Lord admitted that the cyber attack was “still in play” but there is “no evidence at the moment to suggest that any customer data has been compromised”.
Shashi Verma, TfL's chief technology officer, said on Thursday afternoon: "We identified some suspicious activity on Sunday 1 September and took action to limit access. A thorough investigation continues alongside the National Crime Agency and the National Cyber Security Centre.
"Although there has been very little impact on our customers so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details (including email addresses and home addresses where provided).
"Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers. As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.
"We have notified the Information Commissioner's Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.
“We do not expect any significant impact to customer journeys as we carry out this process. However, temporary and limited disruption is possible to some services so, as ever, please check before you travel.
“The security measures we are taking mean that it is now not possible for us to deliver the necessary system changes to enable 47 additional stations outside London to benefit from pay as you go with contactless on 22 September as planned. We are working with DfT and the Rail Delivery Group to reschedule and we apologise for the delay.
"We will continue to keep our customers and our staff updated. I would like to apologise for the inconvenience this incident may cause customers and I thank everyone for their patience as we respond to this incident."
TfL’s efforts to deal with the cyber attack have resulted in a growing shutdown of its own systems, meaning that new zip cards used by children and teenagers cannot be obtained, Contactless bank card travel history cannot be seen and the live data feed on the TfL Go app and TfL website does not display.
New applications for Oyster cards, including the 60+ Oyster for older Londoners, cannot be processed at present.
TfL is also unable to make refunds for incomplete Tube or train journeys made using Contactless cards. Oyster users should be able to log on to log the station they exited, in order to avoid an excess fare.
According to TfL, the hackers themselves have not caused these issues – rather, they have resulted from TfL’s shutdown of its computer systems.
The cyber attack is not linked to the roll-out of Contactless on the wider rail network across the South-East. That has been delayed simply because TfL does not possess the “bandwith” to carry out the work until the cyber hack is resolved.
There were also widespread ramifications at TfL and at City Hall, with staff being ordered home on Thursday afternoon.
TfL shut its “One London” online staff portal, which is used for email and web communications – leaving staff unable to log in, hold virtual meetings or retrieve files.
TfL’s internal system on which staff request holidays, reclaim expenses and arrange training sessions has also been suspended.
The effect is that it has “made it impossible to work” as staff cannot communicate with one another, other than in face-to-face meetings. WhatsApp groups are being set up to enable TfL staff to communicate with one another.
All 30,000 TfL staff have been told to reset their passwords – which they have to do by going into a TfL office and show photo identification.
Some TfL staff data has also been accessed by hackers, including TfL addresses, job titles and employee numbers.
One source said the situation was so dire that there was no option other than to “go down the pub”.