The September 2024 cyber attack that forced Transport for London (TfL) to suspend multiple services across the capital has cost it more than £30m to date, it has emerged.
In a financial update to its board, TfL said that previous forecasts of an operating surplus of £61m had now been slashed to £23m, largely due to the financial impact of the security incident. It currently has an operating deficit of £37m, which is £122m lower than initially budgeted for.
The organisation revealed that it has spent £5m on incident response, investigation and remedial cyber security measures in the past three months.
The incident began on 1 September when defenders detected suspicious activity on TfL’s network. Likely fearing ransomware, the IT security teams limited and shut off several systems to ensure the impact was minimised.
Fortunately, the impact of the incident on London’s bus, Tube and other services was limited, but multiple other services were affected. Most prominently, passengers were left unable to access their account logins for contactless and Oyster payment services, APIs used by third parties including Citymapper went offline, and the Dial-a-Ride service for disabled people had to be briefly suspended.
Although initially TfL said that it did not believe passenger data had been affected,, it later found that data on 5,000 people was accessed, including names, contact details and in some cases bank account data. All of these people have been contacted and the incident has been referred to the Information Commissioner’s Office (ICO). Subsequently, the National Crime Agency (NCA) arrested and later bailed a 17-year-old boy on suspicion of offences under the Computer Misuse Act.
In the report, TfL commissioner Andrew Lord thanked the thousands of TfL employees who have “really pulled together” in recent weeks to address the disruption and maintain key services, and passengers for their patience.
Lord added that TfL had received wide praise and recognition for its response, but said that the consequences of the incident will continue for some months to come. He promised a full review of the incident in due course, although stressed that publicly available information will remain limited as it relates to an ongoing criminal case.
More services restored
In recent days, TfL has been able to restart a number of services that were disrupted during the cyber attack, including the contactless.tfl.gov.uk service.
This means passengers who use pay-as-you-go with a contactless credit or debit card, or on their smartphones, are now able to see their full journey history again.
Additionally, it means that TfL can also once again provide photocards for Zip cards for five to 17 year-olds, 60+ London Oyster, and 18+ Student Oyster. It has already dispatched over 30,000 Zip passes, 40,000 new student passes and 13,000 pensioners’ passes since reopening applications.
TfL said that it was encouraging parents and guardians to apply for updated Zip photocards as a matter of urgency – expired 5-10 and 11-15 Zips are being accepted on TfL and surface rail services in London at present, but this concession will end on New Year’s Eve.
The organisation warned customers would still see some residual delays when contacting customer services, particularly with regard to refunds for overpayments for concessionary cardholders affected by the cyber attack.
Shashi Verma, chief technology officer at TfL, said: “We’re pleased that customers can now access their contactless journey history again, meaning that all TfL fares services impacted by the recent cyber incident are now reinstated. We apologise for any inconvenience that this incident has caused our customers,” said TfL CTO Shashi Verma.
“We are now able to process contactless and Oyster refunds for those requiring them, though customers should anticipate there may be some delays due to the expected backlog. We have also contacted all new photocard customers who were impacted by not being able to apply for their new photocard. I want to also personally thank our engineers and customer services teams who have worked hard during this incident to support customers and restore services.”
SonicWall EMEA executive vice-president, Spencer Starkey, commented: “Due to [its] importance, safeguarding critical national infrastructure [CNI] is vital to maintain order and prevent potential disasters caused by threats such as cyber attacks.
“Ensuring the cyber security of critical national infrastructure requires a comprehensive and ongoing effort. The ramifications of an attack and ensuing outage on CNI can be disastrous and it’s important to place the utmost amount of time, money and efforts on securing them.
“In a divisive landscape, we’re seeing a continued geo-migration of threats, and governments are under constant cyber threat. These cyber attacks raise concerns about a country’s own national security, critical national infrastructure as well as the safety of sensitive information.
“Protecting government networks relies on constant communication and cooperation, working together with the private sector and imposing strict punishments, to deter future attacks,” he added.