back to article Transport for London confirms cyberattack, assures us all is well

Transport for London (TfL) – responsible for much of the public network carrying people around England's capital – is battling to stay on top of an unfolding "cyber security incident." Confirmation emerged yesterday evening when TfL said: "We are currently dealing with an ongoing cyber security incident. "The security of our …

  1. gryphon

    I wonder if this is like the Kevin Bacon character in Animal House who keeps saying 'Remain calm, all is well' then gets knocked over and trampled on.

    In other words, they would say that wouldn't they.

    1. Crypto Monad Silver badge

      Oh perhaps Corporal Jones...

      1. BartyFartsLast Silver badge

        I've got my towel and guide, Don't Panic.

  2. elsergiovolador Silver badge

    Mild

    This is just a mild cyber attack. Vitamin C and a lie down all is needed, but just in case head trauma surgeons are on stand by.

  3. Julian Poyntz

    What for the Khanage disinformation

    He's good at that.

    At the end of his crap, we will be told there was nothing to worry about, nothing happened, and due to TFL and his hard work, hackers like this are now on the decline

    1. Furious Reg reader John

      Re: What for the Khanage disinformation

      It will mostly be his own work that saved the decent, hard working people of London, and TfL only helped a little bit.....

  4. Anonymous Coward
    Anonymous Coward

    Mind the crap

    Just an issue with the inter tubes

  5. Guy de Loimbard Bronze badge

    TfL is an Operator of Essential Services

    So it has a legal requirement to inform its regulator, and the ICO too possibly.

    Be interesting to see how this is spun, the NIS Regulations require a breach of an Operator of Essential Services to produce significant reporting and within 72 Hours too.

    Watch this space, there can only be more information coming on this breach......

    1. Will Godfrey Silver badge
      Big Brother

      Re: TfL is an Operator of Essential Services

      Newsflash:

      "We would give a complete account of events but it has been declared a National Security incident so regrettably we can't."

      1. MonkeyJuice Bronze badge

        Re: TfL is an Operator of Essential Services

        Because when it transpires that any 14 year old with a grudge can kick us in, _everyone_ will want to do it.

    2. hoola Silver badge

      Re: TfL is an Operator of Essential Services

      Is this actually confirmed as a breach of just an attack?

      The statement "We have taken steps to prevent any further access suggests 'yes'" but that does not actually mean it is a data breach.

      1. Crypto Monad Silver badge

        Re: TfL is an Operator of Essential Services

        Systems are under attack all the time; it's just background radiation on the Internet. So to report it, it must be a breach.

  6. David Austin

    Email I sent to TFL last month

    Had an un-registered oyster card since 2003; Needed to claim some Delay Repay, so phoned customer services who helpfully pre-made me an account.

    This is what they got back:

    I’m deeply unhappy giving TFL this much personal information to get a refund on a service that required no ID or registration, and I will be filing a right to be forgotten request to remove all this data once the delay refund process is complete.

    I do Not want my Oyster card linked to any account or payment method, I do Not agree to your online account terms and conditions, and I want this account deleted right away, before I raise a further complaint about setting an account up against my wishes.

    resting the urge to send back an I Told You So email today...

    1. Anonymous Coward
      Anonymous Coward

      Re: Email I sent to TFL last month

      Bet you're fun at parties.

    2. Roj Blake Silver badge

      Re: Email I sent to TFL last month

      You demand a refund, but refuse to give them a payment method.

      Good luck.

      1. ChrisC Silver badge

        Re: Email I sent to TFL last month

        Uhh, that's not the takeaway I got from their post - they had an unregistered Oyster, i.e. one that they could manually top up as required, but which wasn't linked to a TfL account and therefore couldn't be administered remotely. This shows clear intent from the user that they do not want TfL to be storing any details, and given that TfL explicitly provide for users using Oysters like this, no problem there.

        They then requested a refund of the unused balance on said card, and by the sounds of it *did* supply TfL with the details needed for this to be processed. Again, so far so good.

        Their objection seems to have been that, in order to handle the refund, TfL then also took it upon themselves to effectively turn the card into a registered one, with the payment method details now associated with it within TfL's database. THAT'S a no-no - if the user never wanted their details stored by TfL (as their earlier use of the card in unregistered mode rather implies), and if they've then provided TfL with sufficient information to be able to process a one-off refund (again, as seems to have been the case), then there should be no, zero, nil, none, not a single solitary one, excuse for TfL retaining those details any longer than required to deal with the refund, and it's really not difficult to understand why they were a bit pissed off at TfLs actions there.

        1. Yuri2310

          Re: Email I sent to TFL last month

          They do have a section on their FAQs how to request their account to be deleted though. It's a few extra steps for requesting a delay-repay on an Oyster but nothing inherently wrong with that - otherwise the poster could just go for a paper ticket

        2. David Austin

          Re: Email I sent to TFL last month

          100% correct, ChrisC: you explained all of that way better than I could.

          it was especially galling as they required a scan of a recent utility bill and a passport/driving license to get the refund.

          As soon as they actually sort the refund out (They've managed 2 out of 3 so far), I'm filing a right to be forgotten; there is just no need for that amount of PID to be stored for a simple trip on the tube, and that was before they managed to get their systems hacked.

      2. David Austin

        Re: Email I sent to TFL last month

        ChrisC got the gist; I gave them bank account details, and they sent part of the payment without issue (missed one of the journeys, so have to yell at them about that)

        I resent the fact they want you to register an account (And accept the terms and conditions) for a refund, when they'll happily sell you the ticket without one.

    3. hoola Silver badge

      Re: Email I sent to TFL last month

      This is exactly the same as you have on many platforms. You want to complain about being mown down by as Uber driver, you need an account to complain, the same for Amazon and pretty much any of the major platforms.

      The assumption is that people will just provide the information and not give a stuff.

  7. Anonymous Coward
    Anonymous Coward

    well...

    At least it wasn't me, this time...

    1. Anonymous Coward
      Anonymous Coward

      Re: well...

      That's called the Shaggy defense.

      After so many years, the lyrics still amuse me :).

      1. Anonymous Coward
        Anonymous Coward

        Re: well...

        But it was, in fact, me, last time...

  8. Diogenes8080

    Reconnoitring

    MX:tfl.gov.uk = sundry Forcepoint / Blackspider

    SPF:tfl.gov.uk = ditto, their own ASN, a host associated with training, some miscellaneous Rackspace and Exchange Online.

    I think we can guess what's happened.

  9. Zippy´s Sausage Factory
    Coat

    So they're checking for hackers, but did they check for Yetis? Have UNIT been alerted?

    I'll get me coat...

  10. A_O_Rourke

    I'm not sure why people use Oyster cards

    I'm from a little country village "OOP North" but whenever I go to that there London I simply use my watch and tap to pay, unless the OP doesn't want their bank tracking their journeys (assuming they have a bank)

    1. Flicker

      Re: I'm not sure why people use Oyster cards

      You can't link National Railcard discounts (usually 1/3 reduction in off-peak fares) with non-Oyster contactless, and all of the special categories (Student, Job-seeker etc.) also only operate with Oyster. TfL have been promising to provide a way to link these to "normal" contactless for years and it's now supposed to come with a later phase of their "Project Oval" Contactless expansion, but I can see why they're not overly keen to prioritise what would be in effect a revenue loss. Meanwhile it's a major pain with many journeys, especially those in the "expanded Contactless but non-Oyster" zones, now requiring a paper ticket to achieve a discounted fare. I'd love to be able to use my SwatchPay watch but sadly not an option until this is sorted.

  11. Efer Brick

    See it, say it, sorted?

    Do they say that on TfL? (Or, NR only)

  12. PB90210 Bronze badge

    The only effect seems to be another outage on the District/Overground between Gunnersbury and Richmond... they say it's another track fault, but we all know that's too much of a coincidence

  13. MrGreen

    Bonuses All Round

    The head of TFL earns £350,000 per year plus a £150,000 bonus.

    He received the £150,000 bonus when they went bankrupt and he’ll receive the same bonus after this failure as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like