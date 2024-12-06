The September 2024 cyber attack that forced Transport for London (TfL) to suspend multiple services across the capital has cost it more than £30m to date, it has emerged.

In a financial update to its board, TfL said that previous forecasts of an operating surplus of £61m had now been slashed to £23m, largely due to the financial impact of the security incident. It currently has an operating deficit of £37m, which is £122m lower than initially budgeted for.

The organisation revealed that it has spent £5m on incident response, investigation and remedial cyber security measures in the past three months.

The incident began on 1 September when defenders detected suspicious activity on TfL’s network. Likely fearing ransomware, the IT security teams limited and shut off several systems to ensure the impact was minimised.

Fortunately, the impact of the incident on London’s bus, Tube and other services was limited, but multiple other services were affected. Most prominently, passengers were left unable to access their account logins for contactless and Oyster payment services, APIs used by third parties including Citymapper went offline, and the Dial-a-Ride service for disabled people had to be briefly suspended.

Although initially TfL said that it did not believe passenger data had been affected,, it later found that data on 5,000 people was accessed, including names, contact details and in some cases bank account data. All of these people have been contacted and the incident has been referred to the Information Commissioner’s Office (ICO). Subsequently, the National Crime Agency (NCA) arrested and later bailed a 17-year-old boy on suspicion of offences under the Computer Misuse Act.

In the report, TfL commissioner Andrew Lord thanked the thousands of TfL employees who have “really pulled together” in recent weeks to address the disruption and maintain key services, and passengers for their patience.

Lord added that TfL had received wide praise and recognition for its response, but said that the consequences of the incident will continue for some months to come. He promised a full review of the incident in due course, although stressed that publicly available information will remain limited as it relates to an ongoing criminal case.