back to article Public sector cyber break-ins: Our money, our lives, our right to know

At the start of September, Transport for London was hit by a major cyber attack. TfL is the public body that moves many of London's human bodies to and from work and play in the capital, and as the attack didn't hit power, signaling, or communications systems, most of the effects went unnoticed by commuters. The organization …

  1. Pascal Monett Silver badge
    Thumb Up

    I completely agree

    The entire computing industry has been surfing way too long on the Ts&Cs of Borkzilla, aka "if it goes wrong, it's not our fault".

    The aviation industry (despite Boeing's best efforts) is like a hawk on every failure. Lives are at stake.

    The vehicle industry is subject to recalls and almost self-regulates its problems. Lives are at stake.

    Computing ? It's a bunch of bits. Nobody dies.

    Yeah but, more and more, those bits determine the livelyhood of actual, breathing, living beings.

    Lives are at stake now. It's high time we bring in the inspectors and the full failure reports and we stop letting it happen again.

    I don't care if Facebook drops off the Internet for a while. I do care that my government-mandated identity is protected and properly cared for.

    1. sitta_europea Silver badge

      Re: I completely agree

      "... I do care that my government-mandated identity is protected and properly cared for."

      Yeah, #metoo [*].

      But while we have nitwits in government who can't be bothered to read what they spout [**]

      8<--------------------------------------------------------------------------------------------

      "The security requirements include addressing cyber security risks

      through proposing to implement the standard ETSI EN 303 645 ..."

      8<--------------------------------------------------------------------------------------------

      and are willing to ignore the wishes of people who, when asked for permission to publish their highly personal data on the Internet, refused it [****]:

      8<--------------------------------------------------------------------------------------------

      "... Care Minister Stephen Kinnock defended the move, saying the

      government was "absolutely committed" to protecting patient data.

      He said safeguards providing a "cast iron guarantee" on security

      would be set out in a new bill that will be put before Parliament

      to push ahead with the move."

      8<--------------------------------------------------------------------------------------------

      then I guess we're screwed.

      [*] Did I get that right?

      [**] https://assets.publishing.service.gov.uk/media/6659f0147b792ffff71a8601/smart-secure-electricity-systems-2024-energy-smart-appliances-consultation.pdf [***]

      [***] Despite the fact that in April 2024 when this document was published I warned them that EN303645 isn't even remotely adequate, it is still published at

      https://www.gov.uk/government/consultations/delivering-a-smart-and-secure-electricity-system-implementation

      [****] https://www.bbc.co.uk/news/articles/cz7j73vx9v3o

    2. abend0c4 Silver badge

      Re: I completely agree

      I'd add that in the construction industry - where there are often extremely complex contracting arrangements with many interdependencies and a whole lot of external factors from weather to unforeseen ground conditions - it has latterly been accepted that everyone needs to work collaboratively to resolve problems that occur during projects because the most likely outcome of finger-pointing is that everyone loses money, even those who claim total innocence.

      Too much of the post-breach analysis seems to focus on the attribution of blame which, even in the case of genuine error, is not the most effective way of preventing future incidents - ask a medic or a pilot.

      1. Ian Johnston Silver badge

        Re: I completely agree

        Air, marine and railway accidents are investigated by the A/M/RAIB with the aim, as you say, of preventing recurrences. Evidence given to the investigators, and their reports, cannot be used in criminal prosecutions, which increases the incentive to speak out.

        I'm not confident that the same applies to doctors or the NHS generally, where the institutional instinct still seems to be to circle the wagons, protect the guilty (particularly if they are doctors and even more so if they are consultants) and ostracise whistleblowers.

        1. Al fazed

          Re: I completely agree

          It's the same in the Social Housing Sector. The Housing Ombudsman has no teeth to prosecute Housing Associations, as they can block investigations into themselves and can conduct internal inquiries where they should be Mediated by external evaluators. Anti Social behaviour Officers can commit perjury in the County Court Families Division and can get away with it. Managers do not need to do accurate reporting of meetings any more, even though their job description demands it. The Solicitors Regulatory Authority merely parrot the response of the solicitors who have been complained about. Get this, it is OK to hide the defendants evidence from the Judge and the Court, because "the defendant did not reply on it in court".

          Not much of a body count though, just the occasional suicide or homeless person who has been unlawfully evicted and who is unable to enlist help from any of the organisations which provide safety nets to protect vulnerable people from abuse.

    3. Anonymous Coward
      Anonymous Coward

      Re: I completely agree

      Absolutely agree and they are the fuckwits who want to issue national ID cards, surveil every waking moment and gather all our data in one easy to steal repository so they can monetise our healthcare and every aspect of our lives

  2. Anonymous Coward
    Anonymous Coward

    Unpleastant truth

    Public services are underfunded and too expensive in UK. There is a nice video* of how landlords profit enormously from public improvements, while contributing zero.

    Recent natural disaster from floods in Spain and any post-war recovery showcases that it is the labor that creates and maintains wealth. Destroyed land without public workers is worth zero. But it is the labor that is heavily taxed, while workers stay relatively poor.

    Many revolutions started because of land. Recent social tensions could be related. Some of it is generational: younger people feel hopeless. Tax structure must be changed to reduce burden on workers. And it is likely the only way to drive economic growth.

    *https://www.youtube.com/watch?v=Li_MGFRNqOE

    1. Doctor Syntax Silver badge

      Re: Unpleastant truth

      So where does the extra investment come from?

      Oh, silly me. It's obvious isn't it? The magic money tree.

      1. jospanner Bronze badge

        Re: Unpleastant truth

        bad faith engagement which assumes the only possible revenue source is one particular type of taxation, amazing stuff.

  3. Doctor Syntax Silver badge

    Are we thinking just public sector here or some level of private sector as well? It certainly ought to extend to those bits of the private sector that come under the heading of critical infrastructure and those handling contracted out public sector operations. Should it also extend to what the EU call gatekeepers? Or beyond to those holding large amounts of personal data?

    1. Vometia has insomnia. Again.

      It looks like something straight outta the Lewis Page era. Only with American spelling.

      Seems a bit of an edgelord take on clickbait.

      Ugh, I'm fiftysomething and look like my grandmother when she was 60something. Why am I using "yoof" terminology?

    2. Anonymous Coward
      Anonymous Coward

      They're getting more difficult to untangle every month as they sell off more of our national assets to private companies

  4. Guy de Loimbard Bronze badge

    One of the challenges here is getting the issues understood, with the right level of gravitas, then getting those issues in front of the right people, to decide how to "regulate".

    The next challenge is defining what Cyber Security means and how to accurately and universally define it so you could regulate it.

    I believe the great Grace Hopper once said that the value of data is not understood, or something similar, see this: https://www.youtube.com/watch?v=ZR0ujwlvbkQ1

    Cyber Security events also have differing impacts and it would appear that only the fact something bad has happened is the constant, so we would find it hard to regulate Cyber Security.

    Currently the myriad international regulators, acts of law and so on are beginning to have a level of Cyber Security baked into them, think DORA, GDPR, NISR, NIS2, NYS the list goes on, but there isn't a unified approach yet.

    Now, if you're on about reporting, then there's plenty of that required from various National Competent Authorities, however, the requirements don't specify the public be fully notified.

    It's a complex subject without a simple, single silver bullet as a solution.

  5. Anonymous Coward
    Anonymous Coward

    Lies, cover ups and saving face

    Having worked in the public sector during a cyber attack, “a sophisticated complex cyber attack”, I can say with experience that things were covered up. Within the business it was different information to different departments. The public announcements were basically lies and external agencies who helped investigate the attack were either deceived or part of the cover up. The “sophisticated” or “complex” words seem to be used a lot to misdirect from the fact that it was incompetence or lack of care. In our instance, no one was called out on the shortcuts or lack of basic security practices. Daily use accounts had domain privileges, these accounts as well as some proper admin accounts were left logged in to servers for days if not weeks at a time. When things didn’t work with proper security permissions, full access was granted to get it to work. There were no air gapped backups and no working DR site, we had precisely 1 backup which was encrypted by the ransomeware. A few old backups were discovered dotted around other machines which were untouched by the ransomware and it was announced “we did everything we could and followed all security best practices, including 3 separate backups”. All lies. The entry point for the ransomware was an email on our unprotected virtual desktops. No anti-virus or anti-malware on our virtual desktops. Not even Defender. Very little logging either, that was deemed a waste of disk space.

    I followed my own security procedures; regular backups, don’t add domain admins group to every server - just individual named admin users. I lost nothing on my servers but as they were part of the domain, they were considered untrusted and a loss. I still had my air gapped backups to fall back on anyway. I still lost nothing.

    I’m now with a large private company who takes security seriously; including proper change control, multiple backups, isolation of environments, with separate logins for daily and admin use and a dedicated SOC team.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lies, cover ups and saving face

      I don't know about "cyber attacks" but what I have observed with the UK public sector regarding data protection compliance is indeed ongoing fundamental compliance failures, lies and cover ups including:

      (a) a regional public sector body whose modus operandi with regard to FOI Requests is to acknowledge receipt of the FOIR and then to wait until the 20th working day (the statutory *maximum* response period) before sending a "sorry we were able to respond in time, there will be a unspecified delay for a response". They have taken this approach to effectively 100% of the FOIRs I submitted over a 4/5 year period.

      (b) the same regional public sector body changing their answer/"story" in response to a FOIR depending on which lie they've currently been caught in.

      (c) the same regional public sector body providing the Meeting Minutes requested by a FOIR where they extensively redacted the minutes claiming exemption from disclosure via Section 31 of the Freedom of Information Act 2000 ('Law Enforcement') where it is clear they have misapplied Section 31 to redact things that would be problematic to them or other orgs if revealed.

      (d) another regional public sector body taking almost 4 months to response to a FOI Request and their eventual response did *not* provide any of the requested information (it's not clear whether due to inability of their staff to comprehend English or due to an intentional decision to provide unrequested information instead).

      (e) another regional public sectory body *still* not having responded to a FOI Request after more than 5 months: "Please be advised that these FOI's lie with the information asset owners within [org name] and they have a lot of responsibilities in their roles; it is not always possible to meet the deadlines unfortunately, although we do try our best."

      (f) public sector orgs sharing performing large scale sharing of personal data for 10 years without there being any actual (written) agreement in place between the orgs involved. Then when they finally put formal agreement documents in place the documents do NOT contain information required (by data protection law) for such documents to be valid - their legal idiots clearly are incapable of reading and understanding data protection law.

      1. Al fazed
        Facepalm

        Re: Lies, cover ups and saving face

        Apparently the ICO now says it is OK for a proswecuting solicitor to hide the defendant's evidence from the court by not including it in the court bundle. Apparently if the defendant doesn't rely on the evidence in court, the prosecuting solicitors have not breached GDPR...........

        1. Ian Johnston Silver badge

          Re: Lies, cover ups and saving face

          If the defence chooses not to use some piece of evidence, the prosecution should have no right to reveal it.

  6. Don Bannister

    Contactless still down

    For several months I've been trying, without success, to update a credit card on the contactless bit of their website.

    If they can't do that, it makes me wonder how the real time card charging part of their system is still working. No information - just the usual "sorry for the inconvenience", "working to get back soon", etc ....

    1. rjsmall

      Re: Contactless still down

      As the contactless card section of their site is still down it is also not possible to claim back incorrect fares where you have been overcharged (usually a "failed to touch out" reason) many of which will probably be forgotten about by the time it is back.

      I am amazed how long this has been out considered TfL isn't exactly a small transport operator. Wonder if their CTO and Business Continuity chiefs will get nice bonuses this year for good work in eventually restoring the service.

  7. This post has been deleted by its author

  8. fnusnu

    What we need is an investigator with HSE style powers: that server is not secure - turn it off now and we will tell you when it can be reconnected to the Internet.

    Just like they do on unsafe building sites

    1. TRT

      Or, indeed, the restaurant inspectorate. If you have a dirty server, then they shouldn't be at work!

  9. Ian Johnston Silver badge

    Imagine if TfL or the British Library knew that the day after a breach, an independent expert team would be clambering through the smoking wreckage, and that in reasonable time there would be a full public report on what happened, why, and how to avoid it.

    Well in that case I would expect them to do everything they possibly could to suppress or downplay the incident to avoid having their dirty linen washed in public. People would be even less likely than they are now to work in the public sector if they knew they would be hung out to dry after an institutional failing.

    What is this bizarre obsession, normally in the Daily Mail but now apparently in El Reg, with attacking humiliating public sector workers at every possible opportunity? Is it the gold plated pensions?

    1. fnusnu

      Why would they be attacked and humiliated? If they had done the right thing and the thing right there would likely be no investigation required.

      Try reading some James Dekker or Erik Hollnagel on accident investigations. Such investigations look for causes not blame in order to remove the issues in future.

      1. Ian Johnston Silver badge

        I'm all in favour of that story of investigation, not with the sort of public witch hunt being proposed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like