TfL has issued an update in relation to the ongoing cyber security incident that it is managing, after reports emerged that up to 3000 users payment details had been exposed and a 17-year-old from Walsall had been arrested in connection with the breach.
Shashi Verma, TfL’s Chief Technology Officer, said: “The security of our systems and customer data is very important to us. We continually monitor who is accessing our systems to ensure only those authorised can gain access. We identified some suspicious activity on Sunday 1 September and took action to limit access. A thorough investigation continues alongside the National Crime Agency and the National Cyber Security Centre.
“Although there has been very little impact on our customer so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details (including email addresses and home addresses where provided).”
“Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers. As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.
“We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.
“In addition, as part of the measures we have implemented to deal with the cyber incident, we have today put in place additional measures to improve our security. This includes an all-staff IT identity check. Throughout this planned process we have ensured that all safety critical systems and processes have been maintained.
“We do not expect any significant impact to customer journeys as we carry out this process. However, temporary and limited disruption is possible to some services so, as ever, please check before you travel.
Cybersecurity expert Jon Lyons of Mobius Networks says: “Cybercrime is big business, somewhere in the region of $8 billion in 2023. I regularly get asked why would someone want to hack my ‘insert thing here’? Usually that ‘thing’ is a small part in a much bigger solution or the weakest link of a chain.
“Here’s an example, a company makes fish tanks, their customers want to be able to monitor the temperature of the water in the tank via an online portal. Do they need to worry about cyber security, who wants to hack a fish tank? Put that fish tank in a casino and now it’s an easy way into the casinos network, and in this case to the high roller database. https://thehackernews.com/2018/04/iot-hacking-thermometer.html.
“Cyber security is assumed,” adds Lyons’ colleague Peter Simm. “Tier one supply is Cyber-secure, so it’s assumed that the supply chain is secure, but the last three breaches in the NHS have been with tier three or four suppliers. That’s why zero trust is gaining popularity but implementing it is unpalatable.”
“Cybercriminals use fear and emotion to get their target to pay up quickly to reduce exposure and/or downtime,” Lyons continues. “Imagine if all of the traffic lights in London went to red, or all of the enforcement cameras stopped working, or all of the fuel stations and EV chargers stopped, or there was a massive power surge caused by millions of devices demanding power simultaneously, the list goes on… what impact will that have to lost revenue? Would it be cheaper to pay the Cybercriminal?
“Cyber security should be the first thing that anyone that is connecting a thing should be thinking about, but in my experience it is usually the last. Every link in the chain should be maintaining a minimum level of certification, the UK governments minimum baseline is Cyber Essentials, are all of the suppliers in the chain certified? ‘You can’t be a little bit secure’
