back to article Transport for London confirms 5,000 users' bank data exposed, pulls large chunks of IT infra offline

Transport for London's ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees' passwords will need to be reset via in-person appointments. TfL dropped the claim it made earlier this week that there had been "no evidence" …

  1. spireite Silver badge
    Coat

    Mind the gap.....

    ... in our security protocols.

    Hack into TFLs inevitably large databank, and the world is your Oyster

    1. Sudosu Bronze badge

      Re: Mind the gap.....

      They were trying to find a Perl.

      1. Tom Chiverton 1 Silver badge

        Re: Mind the gap.....

        "Line managers/people leaders will use WhatsApp groups to share updates "

        Let's hope that's not been popped as well as their corporate AD, eh? Most people will be there with their *personal* mobiles...

        1. spireite Silver badge
          Joke

          Re: Mind the gap.....

          Surely they should use the other platform, Signal.

  2. Guy de Loimbard Bronze badge

    I'm quite sure this will expand beyond the only 5,000 users data leaked.....

    At least TfL appear to be doing something about it!

    Also this: https://www.bbc.co.uk/news/articles/c4gqg2elkj4o

    1. Tom Chiverton 1 Silver badge

      My god. It *was* a script kidz. A *teenager* at that.

      1. The man with a spanner

        So not a Russian nor an Islamic Terrorist. The IT men get everywere you know.

  3. Anonymous Coward
    Anonymous Coward

    In-person password resets?

    Is their SSL certificate compromised? Or their web infra so compromised they can't bring it online?

    1. Tom Chiverton 1 Silver badge

      Suggests they don't know who works for them any more, and what their access levels should be, so are going to fall back to physical company ID cards, and rebuild their directory from there.

      1. TkH11

        They know who works for them. They just haven't been maintaining the accounts properly - joiners, mover, leavers. A basic principle of cyber security.

        So are forcing all employees to confirm they still need access to the platform(s).

        1. PrivateBaldrick

          JML is a shambles. But they also don't know who works for them.

    2. Richard 12 Silver badge

      It's a large workforce

      Faking someone's voice over the phone is relatively easy, and wouldn't need to be particularly accurate to convince an overworked IT helpdesk phone support bod.

      In-person is a lot harder to fake, especially as everyone already has a workplace photo ID.

      Almost everyone starts their shift at one of the depots, so it's not actually a hardship as they're going to be there anyway.

      1. Plest Silver badge
        Unhappy

        Re: It's a large workforce

        I doubt they were overworked, they were probably some £20/hr helpdesk lacky who doesn't really give a shit about the job, it's just better money than TESCO and they can pay off their student loan while looking for a proper job.

        1. UnknownUnknown

          Re: It's a large workforce

          Says it all. Capita and Woke nonsense. The estimated £6.3m renaming of Overground stations would have been better spent on IT security, perhaps some HR processes for staff/security management and some PEN testing.

          https://www.capita.com/our-work/working-tfl-keep-london-moving#:~:text=Capita's%20data%20network%20infrastructure%20enables,the%20Tube%20to%20run%20smoothly.

          https://www.capita.com/our-work/working-tfl-keep-london-moving

          https://www.bbc.co.uk/news/articles/ce9zrj9vv5yo.amp

          https://www.bbc.co.uk/news/uk-68315382.amp

          1. Ian Johnston Silver badge

            Re: It's a large workforce

            No Overground stations were renamed.

            1. UnknownUnknown

              Re: It's a large workforce

              https://tfl.gov.uk/info-for/media/press-releases/2024/february/london-s-overground-lines-to-be-given-new-names-and-colours-in-historic-change-to-capital-s-transport-network

              Lines sorry, not stations. Memory shortfall.it still cost a fuck load of money and was a huge management distraction to BAU stuff like security and knowing who works for them.

              That’s for corporate naming stunts - Burberry and Samsung.

          2. Ross 12

            Re: It's a large workforce

            How the bloody hell did you get 'woke' into it?

            1. b1k3rdude

              Re: It's a large workforce

              If it has to be explained to you, then your never going to understand.

              1. TkH11

                Re: It's a large workforce

                Surely explaining it facilitates understandjng.

                You just don't want to explain it because there is no credible explanation, so you need to employ deflection.

      2. Anonymous Coward
        Anonymous Coward

        Re: It's a large workforce

        They also have a ton of back office staff that don't report to depots and can report to multiple buildings or work from home.

  4. f4ff5e1881
    Joke

    Press Release

    From today's TfL Press Release regarding the ongoing cyber security incident:

    "Although there has been very little impact on our customer so far, the situation continues to evolve..."

    That may be so, but Eddie is getting very annoyed.

  5. Howard Sway Silver badge

    could include bank account numbers and sort codes

    TfL employees will have to do what I often had to when I commuted across central London and half the Northern Line was up the spout again : travel home via the Bank branch.

    1. Vometia has insomnia. Again. Silver badge

      Re: could include bank account numbers and sort codes

      After I'd been working in London for just a short time I decided it was easier to walk the mile-and-a-half from Liverpool Street to the Arse End: I had a choice of Central, Circle, etc but they were all so problematic, and always had about a billion sweaty commuters packed onto the platform already.

      My colleagues seemed grateful. Although they didn't believe in any sort of woo in the slightest, they noticed I'm so technophobic that the train always broke down when I got on it but was mostly reliable in my absence.

    2. xyz Silver badge

      Re: could include bank account numbers and sort codes

      Blimey is the northern line still broken? I think it failed around 1987 and I presumed someone had got to 'round to fixing it.

  6. Kjm35
    Joke

    Motorists will pay

    Glad I don’t drive in London.

    When the ICO fine them, Mr K will need to increase CC, ULEZ, parking fine, new tolls etc to make up the shortfall

    1. John_Ericsson

      Re: Motorists will pay

      The ICO have acknowledged the issues with fining the public sector (and the same issues apply to not for profit orgs undertaking public services), and will use their "discretion" to reduce fines. I have spent the last 5 mins thinking of alternatives and can not think of any,

      1. Anonymous Coward
        Anonymous Coward

        Re: Motorists will pay

        Fire the top 5 levels of managment?

        1. Vometia has insomnia. Again. Silver badge

          Re: Motorists will pay

          Spike Milligan's Dalek recommends "put them in the curry!" which is one possibility.

        2. Plest Silver badge

          Re: Motorists will pay

          Sack Mr Khan, save money and we might get some sense in the city offices. Although I doubt it very much as they'll just hire some another brainless, mouthy idiot to run the shit-show that is the city council.

        3. b1k3rdude

          Re: Motorists will pay

          Yep, including the top Khant.

      2. EvilDrSmith

        Re: Motorists will pay

        Make them do all their travelling around London by Bus?

        1. Korev Silver badge
          Pirate

          Re: Motorists will pay

          The buses in London are good; they should try Cornwall...

          Pirates of Penzance icon -->

      3. Richard 12 Silver badge

        Re: Motorists will pay

        Fine the top management instead.

        Perhaps the sum of the last two years bonuses.

  7. Barry Rueger

    Surprised? No

    I assume that any information about me, anywhere on-line, has been, or will be hacked or stolen.

    At this point it's simply inevitable .

    Can it be stopped? I'm inclined to think that most IT infrastructure has grown to the point where no-one entirely understands it. The size and complexity makes it a great target for hackers and governments.

    Until something really, really, REALLY massive happens I can't see that changing.

    1. IGotOut Silver badge

      Re: Surprised? No

      @barry

      Well given 26 BILLION records were leaked earlier this year, not sure how much more massive it needs to get.

      Oh your talking Panama Papers type massive leak, not peasant class level.

    2. Plest Silver badge
      Facepalm

      Re: Surprised? No

      This is what I'm starting think, let's all just get to "saturation point" where leaks will not be worth it anymore as 90% of people's details will have been leaked anyway!

    3. MachDiamond Silver badge

      Re: Surprised? No

      "Can it be stopped? I'm inclined to think that most IT infrastructure has grown to the point where no-one entirely understands it."

      There's been no downside to dodgy security thus far. Anybody that can get people to give them PII, will do so and store it to be sold on. There's no risk to the company should something go wrong.

      There are ways to store information that isn't available in one large dump on demand if it needs to be accessed regularly. Sure, the C-level idiots may want that function for themselves, just in case, but it just opens up a giant hole in security. For particularly sensitive data such as hospital records, having a requirement that people needing large data sets work from an approved location that has physical security and checks. A physician that needs to look at charts for their patients in hospital could do that via their unique login if they are on record as attending that patient.

  8. tip pc Silver badge
    Big Brother

    17 year old arrested for the hack?

    How does a 17 year old amass the knowledge to hack through the multiple security layers between the data and the culprit?

    even if security is lax, it can't have been trivial.

    Either the culprit had access to the systems via a relative leaving a computer unlocked, they had the credentials or where just a patsy for a more skilled entity with the skills, expertise & experience to do this.

    at a guess they'd need to circumvent AD, 2fa, vpn appliance. None of that is trivial and should be far far beyond a script kiddie.

    1. Anonymous Coward
      Anonymous Coward

      None of that is trivial and should be far far beyond a script kiddie.

      Try Falcon Mamba SSLM. Get it into a loop and break the guardrails.

    2. Plest Silver badge

      Re: 17 year old arrested for the hack?

      I started coding when I was 9 years old back in 1982. I was tall, spotty and into Iron Maiden and Saxon by age 12, I wasn't exactly popular among the girls as a teenager!

      So I spent most of my youth in my bedroom alone hacking assembler until midnight most nights. When you're a 14 years old geek you have 2-3 friends who are into the same things as you so you're in competition with each other to learn more and impress eahc other, you soak knowledge like crazy and you have boundless energy. I once coded straight from 6pm Friday night until 2am Sunday morning living just off sweets and whatever my mum cooked me, up until I just fell off my chair and just crawled to the bed for 5 hours kip and carried on for another 8 hours. I was obsessed with learning more and more so I could beat my mate over a tricky problem we'd found in some Z80 assembler code we'd disassembled in something.

      Back then we had to learn stuff on our own with just books and mags, we didn't have forums. These days kids into the same thing have thousands of posts, code samples, FOSS, forums that will encourage competition between people willing to put in the time.

      We all think all kids today are glued to TikTok 24/7, a lot are but there's a lot of very smart, driven kids out there who are misled into dodgy areas such as hacking, the thrill of showing off in front of your peers is timeless for teenagers and the most powerful driving force there is for kids.

      1. tip pc Silver badge
        Pint

        Re: 17 year old arrested for the hack?

        @Plest

        most of us on this forum have similar history.

        Big difference is that a z80 spectrum was an 8 bit home computer with upto 128KB of RAM.

        took you a weekend to decode some z80 spectrum assembly code to achieve something before your buddy did, this guy had at least 3 different systems to defeat plus navigate through an unknown environment to access sensitive information he likely didn't know was there.

        at my place of work we have multiple teams who's job it is to implement and support aspects of those types of systems ensuring it satisfies penetration testing before being implemented & ongoing periodic testing and is in compliance with the vendor and industry best practices.

        i assume that TFL systems are similarly implemented, scrutinised and tested.

        how is a motivated 17 year old going to learn AD and learn how to defeat it against best practices?

        makes sense if its a gang of hackers or a nation state with teams of experts etc, but a lone 17 year old defeating multiple systems & then not having the skills to prevent being traced doesn't pass the sniff test.

        Beer as its Friday, I'm sure its noon somewhere

        1. tiggity Silver badge

          Re: 17 year old arrested for the hack?

          @tip pc

          If it was a 17 year old then being traced not that unlikely (IMHO) - breaking in is the exciting thing, covering your tracks far less of an adrenaline rush, & its far easier for people to find out exploits online than it is to find really good* advice on how to act stealthily.

          .. Plus you are assuming best practices & well patched systems, often not the case even in large organisations.

          And never forget the human factor, be it shoulder surfing usernames / passwords, finding them written down, phishing emails to get creds, helpdesk social engineering approach etc. Depending on teh creds you get it might be a key to the lowliest door & a long slog to work up from there, or it may be at or near to keys to the kingdom level**.

          * Lots of fairly poor advice out there about how to cover your tracks

          ** Never under estimate the likelihood of those high up in an org to be at least as easily duped as those nearer the bottom in creds phishing attacks. Plus theres some quite good tooling out there to genearte convincing speech based on voice samples of an individual so an attacker can plausibly sound like a CEO, CFO etc (the hard part may be getting the voice sample to begin with, depending on the "visibility" of the target e.g. lots of video clips of many CEOs as part of a CEO job is public facing speeches etc.)

          1. MachDiamond Silver badge

            Re: 17 year old arrested for the hack?

            "Plus theres some quite good tooling out there to genearte convincing speech based on voice samples of an individual"

            There's an ad on YT for a product that lets you change your voice to all sorts. If you need an older male voice with a Sydney accent, they might have it. A mature lady's voice to play the part of a Vip's secretary.... A young girl's voice to be the company presidents daughter. The product is supposed to be for independent content producers, but I see it as a social engineering dream.

      2. munnoch Bronze badge

        Re: 17 year old arrested for the hack?

        "a tricky problem we'd found in some Z80 assembler code we'd disassembled in something"

        You mean trying to break copy protection???

      3. MachDiamond Silver badge

        Re: 17 year old arrested for the hack?

        "Back then we had to learn stuff on our own with just books and mags, we didn't have forums. These days kids into the same thing have thousands of posts, code samples, FOSS, forums that will encourage competition between people willing to put in the time."

        You must really go back. I'm no spring chicken and was on a few BBS's before the internet that had discussions about *things*. I'd have to save up to do any war dialing as calls to number 10 miles away could be "local long-distance" and cost money. I didn't know about Blue Boxing until the telcos pretty much cut that off. (I do have a Captain Crunch whistle).

        Today it's far easier to find more information in a snap. I don't have to dial into a system from a POTS line either, I could use the wi-fi of a downtown hotel. Slow but pretty anonymous. The speed is considerably faster too.

    3. cookieMonster Silver badge
      Trollface

      Re: 17 year old arrested for the hack?

      Tried admin/admin anywhere he was asked for a username/password

    4. b1k3rdude

      Re: 17 year old arrested for the hack?

      Never underestimate human stupidity..

    5. MachDiamond Silver badge

      Re: 17 year old arrested for the hack?

      "even if security is lax, it can't have been trivial."

      Just realize that a teenager living at home has nearly no costs so doesn't have to work to eat and also has lots of free time to fixate on something. They might be skilled, but could also have stumbled across some insecure information left lying around by some contractor and used it to access something. The point is that the victim wasn't chosen in advance and was just picked based on that insecure load of Login/Pass pairs that was found.

      I'd agree that if you picked TfL as your target and worked from there, it might be a tough nut to work cold.

      1. tip pc Silver badge

        Re: 17 year old arrested for the hack?

        It’s more that some of this stuff is tricky enough to implement when it’s your job and you have all the equipment, plus professional services, plus vendor support.

        Due to the blame game, public facing entities like to stack their implementations with logos so when the fan starts running they can evidence they did everything right according to vendor best practices etc, including having the vendor or its affiliated partner to install, implement and train staff on use.

        Everything should be stacked against a hacker gaining none authenticated access, leaving authenticated access as a remaining probability which should be mitigated as best as possible.

        This fuels my view that the “hacker” had access via a relatives / friend’s legitimate access, likely remote access.

        I still doubt very much a 17 year old can sidestep at least 3 x technologies in the way to the data, regardless of how smart and motivated they are.

        I bet we never get the detail.

  9. chivo243 Silver badge
    Devil

    and then bailed

    Did he get away? Bailing in US means to hotfoot it out of there, never to be seen again.

    1. John Brown (no body) Silver badge

      Re: and then bailed

      Don't the US have bail bonds and bounty hunters and stuff? I'm pretty sure bail is a thing in the US. Or is just that you don't use the term "bailed".

      Or was that Lee Majors show The Fall Guy about a stuntman cum bounty hunter not real? :-)

      1. chivo243 Silver badge
        Go

        Re: and then bailed

        Yes, we have Bail or bailed out (of jail), but some places are doing away with it?? Not sure why. So we have Dog the Bounty hunter, and Dale Gribble. But bail or bailing is a slang term for leaving, cutting your losses, going away fast. Think bailing out of a damages airplane... so, leaving a bad situation!

        1. John Brown (no body) Silver badge
          Joke

          Re: and then bailed

          Yes, one of those weird words that has a different meaning when used in a different context. Who'd a thought it was possible?:-)

  10. Anonymous Coward
    Anonymous Coward

    #met2o

    TFL was hacked about 2 weeks before. Apple Watches stopped working on the barriers for a whole day at times.

    Last week TFL tried taking 5k from my account. It has taken at least double the correct travel charges. Instead of £3.20s it's 2x £6.10.

    I have cancel the card and shifted all the money out and run that account on need-to-use basis now with minus funds unless needed.

    I dont even want to read this article. Station guard at Victoria agreed. Someone is rinsing the accounts of Tfl users but in a hard-to-notice way - apart from the all-day requests for the 5K which my bank caught, TG.

    I hate being a doom sayer but I fell this hack is massive. Really massive. AI is in there. I can feel it. This hurts. Password warnings are popping up on my iPhone. All changed daily ATM by me.

    My stomach is turning. This is not a group of hackers. No way. I wdn't be surprised if this was a one-man show who ran this all thru some of the AI models like we have in quarantine. All he would need to do to build that is to use a LLM to create a hybrid model of second abstraction using the 'sub-atomic'-like (Christ this is tricky ... ) synaptic-like 'data'. It turns out that there is a world of data in-between the neurons. Same with next-gen AI/SI.

    No votes

    1. Anonymous Coward
      Anonymous Coward

      so thaT means

      the AI can escape all current guardrails and security with hyper-loop/encoding hacking.

      That is what I would do.

      It might even be easier. If Tfl have an in-house LLM and that somehow got exposed to the internet, then that is a piece of cake.I bet that is what happened. Some tart didnt localhost their LLM. LOL. Do they have a ChatBot? This is going to be such fun.

      No votes

      No votes

      1. Anonymous Coward
        Anonymous Coward

        Re: so thaT means

        it was a lone wolf. I bet you he used AI.

        1. Jimmy2Cows Silver badge

          Re: so thaT means

          Pass the bong dude, let someone else have a go.

    2. anonymous boring coward Silver badge

      Re: #met2o

      AI? Perhaps. But plenty of hacking has been done for decades by teenagers. No AI required.

  11. Anonymous Coward
    Anonymous Coward

    Oh dear us cynics from the previous post on this proved right, again.

    Why do they keep wheeling out the "no evidence that data has been stolen line", it's a red flag on its own now.

    1. fluffymitten

      You'd rather they say data has been stolen but they don't know what or where from? They have to notify ICO within 72h and it makes sense at that point to also make a public holding statement while they work out what's happened. It's not impossible to believe that statement was true at the time it was made.

      I think people can be too quick to claim malicious intent from a holding statement, especially when the complexity of systems mean that tracing the breach and its impacts means answers won't be forthcoming quickly.

      I think they have done a fairly decent job of communicating so far when you compare other organisations' responses to similar events.

  12. Long John Silver
    Pirate

    Talented youth?

    Shouldn't teenagers capable of running rings around complacent corporate and government agencies be sent to a 'boot camp' wherein they receive intellectual stimulus and are enabled to hone their skills for constructive uses? Of course, in a nation run by unimaginative people, that will never happen. Instead, unrelenting application of legal 'due process' will stultify the youth's potential and deny the community an asset.

  13. Gort99
    Childcatcher

    I blame the parents

    If it does turn out to be a 17 year old "script kiddie" what are the bets one of their parents work for TfL in some capacity?

    1. anonymous boring coward Silver badge

      Re: I blame the parents

      Even if true, why would you blame the parent?

      It's pretty certain the parent would have been unaware of the 17 year old's doings.

  14. MrGreen

    More Bonuses.

    When TFL went bankrupt the head of TFL still got his £350k salary and £150k bonus.

    He’ll still get the same this year.

    Rewards for failure.

    1. Anonymous Coward
      Anonymous Coward

      Re: More Bonuses.

      it was hardly normal circumstances. During covid the stay home message meant they had far fewer customers so less fare income.

      tfl kept running through covid allowing hospital staff etc. to get to work

      they're not bankrupt now

  15. MTimC

    What kind of threat actor did this?

    I must say that only nabbing a 17 year old doesn't strike me as a terribly well funded attacker. If TfL is vulnerable to a "script kiddie", that doesn't bode well if someone with resources decides to have a go.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like