TfL confirms 5,000 customers’ bank data exposed

Transport for London’s ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees’ passwords will need to be reset via in-person appointments.

TfL dropped the claim it made earlier this week that there had been “no evidence” of customer data being compromised in its cyber incident page. A further update has now confirmed that, yes, some customer data might indeed have been accessed. According to TfL: “Some Oyster card refund data may have been accessed. This could include bank account numbers and sort codes for a limited number of customers (around 5,000).”

The UK agency has said it will contact affected customers as soon as possible “as a precautionary measure.”

While the network continues to run, large chunks of the TfL IT infrastructure have been pulled offline. Live tube arrival information isn’t available, applications for new Oyster photocards have been suspended, and refunds for incomplete pay-as-you-go journeys made using contactless. Staff have limited access to systems.

The last point is significant since TfL is undertaking an all-staff identity check and resetting 30,000 employee passwords in person. According to the TfL Employee Hub, staff details have been accessed as well as those of customers, although right now TfL only suspects email addresses, job titles, and employee numbers have been looked at.

The Register understands that the incident is very much ongoing. There has also been an emergency meeting for management regarding the situation and a change in the physical security stance around TfL offices and facilities.

Physical security has, however, been beefed up by the sounds of it, although the very harrassed-sounding PR person said it was to “draw a line under it all.”

TfL is no stranger to identity theft and malware. In 2023, in an unrelated incident, a London Underground worker, using a keylogger, was able to give himself discounts and access the accounts of colleagues. The worker, Lewis Kelly, narrowly avoided a custodial sentence at the time. ®

Updated to add at 1515 UTC

The National Crime Agency confirmed just minutes ago that a teenager was arrested last week in Walsall as part of the investigation into the attack. The NCA said, “The 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on 1 September.”

The teenager, who was arrested on September 5, was questioned by NCA officers and then bailed.

The cybercrime cops said they were leading the law enforcement response to the attack on TfL, working closely with the National Cyber Security Centre – an offshoot of British intelligence nerve center GCHQ – as well as with the transport body itself “to manage the incident and minimize any risks.”

NCA deputy director Paul Foster, head of the agency’s National Cyber Crime Unit, said: “Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.

“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing.”