peterzayda - stock.adobe.com

Teenager arrested in TfL cyber attack investigation

New security measures following the cyber attack, which took down some of TfL’s services, have led to delays in contactless roll-out

As part of its investigation into a cyber security incident affecting Transport for London (TfL), the National Crime Agency has said it has arrested a teenager.

The 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on 1 September.

The teenager, who was arrested on 5 September, was questioned by NCA officers and bailed.

Deputy director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “We have been working at pace to support Transport for London following a cyber attack on their network, and to identify the criminal actors responsible.”

Forster described the security incident as an attack on public infrastructure, which he said can be hugely disruptive.

“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing,” he added.

TfL initially reported on 1 September that it was experiencing an “ongoing cyber security incident”. As part of its response, it needed to temporarily suspend the Dial-a-Ride assisted transit service for disabled people during the cyber attack.

Read more cyber attack response stories

  • Ransomware remained a highly disruptive threat last month, as notable attacks claimed victims in healthcare, technology, manufacturing and the public sector.
  • Following the CrowdStrike outage, experts recommended that health IT security practitioners focus on building resilience and tackling third-party risk.

At the time, it said it had found no evidence customer data had been compromised. However, it has now conducted a deeper investigation that has shown some customer data was lost during the attack, and referred itself to the Information Commissioner’s Office.

“Although there has been very little impact on our customers so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed,” said Shashi Verma, TfL’s chief technology officer. “This includes some customer names and contact details (including email addresses and home addresses where provided).

“Some Oyster card refund data may also have been accessed,” he said. “This could include bank account numbers and sort codes for a limited number of customers. As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.

“We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation,” said Verma. “We will provide further updates as soon as possible.”

TfL said it has now implemented new IT security measures to ensure all safety-critical systems and processes have been maintained. This work has meant that TfL has needed to delay its contactless payment roll-out to 47 additional stations.

“The security measures we are taking mean that it is now not possible for us to deliver the necessary system changes to enable 47 additional stations outside London to benefit from pay as you go with contactless on 22 September as planned,” said Verma.

Read more on Regulatory compliance and standard requirements