The fingerpointing starts as cyber incident at London transport body continues The Transport for London (TfL) "cyber incident" is heading into its third day amid claims that a popular appliance might have been the gateway for criminals to gain access to the organization's network. TfL remains tightlipped over the nature of the incident and its broader impact, sticking instead to the line that there is …
"sticking instead to the line that there is currently no evidence of customer data being compromised"
Not a valid position. "we haven't found any evidence" does not equate to "there is no evidence". Largely depends on how much appropriate effort has been expended in looking for evidence.
There's no valid position until they've done what they need to do to find out what's gone on and what's been compromised. For some unfathomanble reason the truth - "We don't know, leave us alone until we've found out at which point we'll be in touch." isn't an acceptable answer for the press nor its readers.
Totally agree with your comment Headley_Grange, but there's no stopping the insatiable appetite from the press to stir things up when there's a void of truth, speculate and make some shit up just to keep people interested until you have something truthful to say, if you're interested in the truth of course?! YMMV
That may be true, however I'd still prefer organisations to be truthful rather than, if this is what's happening, pandering to the demands from the media/masses for a more definitive/positively spun answer - better to say "sorry, we really don't know yet", than to attempt to assuage the court of public opinion and risk ending up on the wrong side of an *actual* court if it then turns out their optimistic spin was entirely without merit...
Truthful? Somehow I think I'll die of old age before I hear the truth which will be the boardroom stating, "yeah we got nailed by some 14yr old skiddies from China who sent the CFO a phishing mail disguised as a discount voucher for a Thai massage parlor and he's clicked on it because he refuses to do any of the mandatory cyber security training, it contained 372 different sorts of malware but it got through because we cut the IT budget to 50p in 2013 and told them to keep running with the unsupported gear we bought in 2010 (still works yeah) and we've refused all downtime and overtime to do any patching for the last 18 months."
"The security of our customers date is our first concern", might be a complete lie but it's much easier to say, and they'll get away with it as always.
How do you know that "We don't know or understand" is not truthful?
The answer is you don't but people are obsessed with having "information" regardless of whether it is appropriate or accurate.
It they make a statement that they have WangChang.999 encryption attack instead of saying "we don't know" even though it WangChang.999 is utter bollocks then you will be screaming they lied.
People simply have to understand that there are circumstances where something is not know or more precise information simply cannot be divulged.
At the end of the day, at this point does it make any difference to those commenting?
NO!!!!!
Err, I think you've misread my comment, or you've replied to the wrong person here...
I very much AM saying I'd be happy for organisations to say "we don't know", rather than have them pandering to the "we must KNOW" brigade and releasing pseudo-factual statements before they a) know for sure what the problem actually is and b) are in the position to be able to make genuinely factual statements without risking any legal issues.
I remember a heated conversation when a workplace had a serious infection and I refused to restore from backup.
Not until I know what I'm restoring to is safe, and that where I'm restoring from isn't subject to the same problems, and won't be put at risk by accessing it for that restoration.
We went totally clean-room. Pulled in every device. Created a totally isolated network configured from scratch. Marked every computer and drive with red/green markings and starting from known-blank drives to rebuild the servers and start pulling data FROM COPIES of the backups that were made entirely offiline on machines that had never been part of the network or connected to it.
Every computer was wiped.
Once the backup copy was made, that was exposed to the isolated network for restoration, then we started restoring piecemeal and at every stage we red/greenlit based on even the slightest suspicion (e.g. that we may have backed up malware, etc.).
It took FAR LONGER than "just a restore" and I caught lots of flak for it and refused to shortcut. I was not going to risk compromising ourselves further.
There was some payback for all the political fallout involved with doing so - when the (multiple, independent and very expensives) consultant's reports came in many months later on what defences we'd had, what extent we were compromised, etc. etc. etc. then the restoration process was highly-praised - the malware was literally unknown and unrecorded before (and hence had no detections or "clean" tool - not that I'd ever run one over a clean-room restore!), the restore process was 100% clean and the other systems we'd put in place were so good that we could pretty much prove that there had been no data exfiltration out of the network (basically it spread between desktop clients on an isolated VLAN and in the process disconnected itself from the network, but we had logs of all outgoing traffic destinations).
No data was ever discovered to be compromised, and the data protection people gave us a big thumbs-up for correctly reporting, having all the necessary systems in place, and being able to prove (at least to their satisfaction) that data could not have got out.
When you're compromised, you take ZERO chances because the downtime will never cost you as much as a repeat compromise or continued data exfiltration.
Indeed I think you're hovering around the old Sagan quote (thought it's really much older) - Absence of evidence is not evidence of absence.
And the the old "currently no evidence of customer data being compromised" is the first corner on your cyber-incident-boardroom-avoidance-of-truth bingo card.
Is there anyone left whose data hasn't been compromised a dozen times by now? What difference does one more make at this point? Surely I'm not alone in completing tuning that stuff out, and ignoring when I get an email/snail mail from a company saying my personal information had been or might have been compromised recently!
All that matters is if the data included something that might make that compromise a potentially bigger problem than most. For example, in the US you'd pay more attention to a compromise if you knew they had your full social security number - though I'm pretty sure that ship has sailed for most of us (with either a known or never discovered compromise) and once it is out there isn't anything you can do about it anyway. If you know a compromise might have included your full debit card number maybe you care - but that's a reason why I only ever use credit cards for anything since if they get that number it can't cost me anything.
SSN Commonly used for drivers licenses at one time. it was used as student id's in many colleges at one time in the not so distant past. Wouldn't be surprised if there copies of old spreadsheets and databases with most user identifiable data including SSN's floating around on old disks. Hard to believe that all of those files were rounded up and deleted.
Yep my SSN was my student ID when I was in college.
My dad was an economics professor, when he died my brother went through his study (at home, he had an office as "emiterus" for about a decade but no longer had it then) and since he was a packrat there was SO much stuff! There were old printed lists of student IDs and grades, stuff like that. Since they didn't have names attached he just pitched that in the recycling. But there were probably some things that did have student IDs with names that ended up in the recycling because if he checked every single piece of paper it would have taken him a year.
I call bull poo on this if it is UK based as any FOI officer worth their salt knows that's likely to be a breach of s46 of FOI and the Records Management expectations. The ICO has issued penalties for poor records management.
IF this is true then its obvious why they are an ex-FOI Officer
It's some time since I had reliable knowledge, but certainly in the past the "routine" IT - anything that could be tightly specified (corporate desktops, desktop software, network, email...) - was, I believe, managed by third parties.
However, the tight specification was focused very much on clerical needs and those departments for whom it was unsuitable were expected to make their own entirely separate (and disconnected) provision - though I don't think they got any of their top-sliced corporate IT budget refunded to help pay for it.
How much of the TfL IT environment is is actually TfL's and how much is outsourced?
I thought it was all run by the outsourcer capita, but that looks like just the road charging side.
https://www.london.gov.uk/who-we-are/what-london-assembly-does/questions-mayor/find-an-answer/tfl-outsourcing
"I thought it was all run by the outsourcer capita, but that looks like just the road charging side."
It's likely it's another branch of the same company, just under a different name. Know they did an efficiency review where I used to work, and they recommended outsourcing IT, and helpfully supplied a couple of firms who they'd recommend. Those firms were all part of the larger Capita group: Just another ploy to get their claws in deeper into the public purse.
No, we didn't take them up on that: They'd been told to leave IT out of their assessment (so it was the first area they looked at) and not to present recommendations about IT (so it was the first thing they presented), and were laughed at as they had to admit that outsourcing would cost more for an inferior service. But they had to recommend doing so anyway.
TfL used to be heavily linked to the GLA.
The DB for Oyster for example was running on GLA's Oracle boxes.
Alot of 'outsourced' services where actually being run from the GLA's inhouse Oracle boxes.
Seemed a weird arrangement.
An outfit like Capita might run a particular service (staff, management), but with software/hardware infrastructure run by GLA/TfL.
TfL banned posters for a play called 'Tony n' Tina's Wedding' because they had a wedding cake on them. It was seen to promote "foods high in fat, salt and sugar".
The ULEZ is also run (by Capita) on behalf of TfL.
This may be one of the very few cases of ransomware where I shall withhold all sympathy.
about 20 years ago I had the misfortune to do some contracting that had me working in Scotrail IT department.
They would have a habit of just adding a "wee hub there" (4 port Netgear ones) every time they needed to add a PC or move it a bit further from a socket.
The ping times from one side of Glasgow to the other was incredible ( I had similar times Aberdeen to West Africa )
I doubt that they ripped that all out, so there will be a wee hub or two kicking around for someone to plug into...
But you can't differentiate the wee hub you put in from the wee hub someone who waved a pass at reception saying they were from IT put in and connected to the base unit they were carrying.
As achieved by Red Teams pretty much everywhere.
In the latest chapter of Sadiq Khan's transport masterclass, TfL has fallen victim to a cyber attack, leaving Londoners wondering if the hackers might actually improve the service. The once sluggish system has now come to a full standstill—not thanks to signal failures, staff shortages, or strikes, but to some anonymous keyboard warriors who, ironically, seem to be running the show more efficiently than City Hall. Perhaps Khan was just ahead of the curve, outsourcing TfL’s operational collapse to cybercriminals because who needs a functioning transport system anyway? After all, nothing says "progressive leadership" quite like grinding London to a halt with a touch of digital sabotage. Bravo!
Or as someone who has made breach notifications to the ICO more likely they have a suspicion personal data has been compromised but there is nothing to confirm one way or the other and so they are erring on the side of caution and made their notification to the ICO on the basis it was with further details to follow in order to ensure they met the statutory 72 hr reporting requirement.
I have done that but then we have subsequently been able to go back to the ICO with further information etc demonstrating that personal data wasn't compromised and so that was the end of it.
"The TfL hack was their Cisco VPN getting popped."
Having recently been switched over from our own departmental vpn (from another vendor and with Linux support) to an organisation-wide cisco (with linux unsupported, at least within our organisation) on the basis it would cheaper and less work for us to support (except now we can also no longer run our own dns and have to send all ip changes up the chain), I can only wish that I could post anonymously and use the flame icon. Maybe a couple of flame icons and the nuke one.
The extra cherry on the cake is the client-side trojan the thing requires for device verification (which is of course broken on linux as the org doesn't support it), "please trust cisco to download and run some arbitrary code on your machine."
(That openconnect will successfully talk to it if the useragent is set to AnyConnect, while the genuine AnyConnect client can't, only further increases my confidence in this solution. add more flames here)
Not amateurs when you're underpaid, do a good job but then they hire in bad engineers because they are mates of a mate of a mate. Or "I'll hire him in so he can hide my incompetence". And when you have managers micro managing you, who have fuck all IT knowledge and tell you to "Just get it done" when you inform them what they are asking is outside of your JD BUT also outside of your skill set and that if you do attempt to "Get it done" it might not be secure.
Vpn servers and the like are Internet facing. They also are the keys to the kingdom.
Hence they are number one top of the list for people to develop new hacks for.
If you manage to find a zero day then you have a very valuable exploit that you can sell.
That's why they keep getting broken
Those with a long memory will recall the Equifax hack.
That was the "exfiltration attempt" that lasted at least four months.......but might have been YEARS long!!!
What this language "exfiltration attempt" actually means is this:
- "We have just noticed....but it might have been going on for years!"
Welcome to the internet!!!!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
