As cyber-attacks go, it could have been worse. In Nightsleeper, the new BBC thriller airing just after Transport for London revealed its systems had been breached, passengers are locked aboard as a train seized by hackers hurtles dangerously towards the capital.
In real life, the troubles for TfL customers are far less dramatic. The actual physical transport services, the buses, trains and tubes – many of which are effectively remote-controlled – have been unaffected by its cyber-attack.
But as TfL continues to tackle what it calls an ongoing incident – despite the recent arrest of a suspected perpetrator – the minor headaches are growing persistent.
The latest official update from TfL HQ included the revelation that thousands of customers’ details had been exposed in the hack. Those affected – about 5,000 identified in a file of Oyster users who had applied for refunds – have now been contacted.
Shashi Verma, TfL’s chief technology officer, said that “the situation continues to evolve” – despite the arrest of a suspect, a 17-year-old boy from Leicester, two weeks ago.
So far, TfL says it is not aware of any notified customers having suffered any losses due to the data breach.
The impact on most consumers in the short term is they have less information; both in being able to check online journey histories or contactless payments, or view some live transport updates, now that TfL has cut feeds. A spokesperson said there was currently no date set for when this information would be accessible again, “but we can assure customers that once it is available they will be able to see their full journey history and correct any incomplete journeys or maximum fares.”
While live tube times are missing from TfL Go and the Citymapper apps, live information on the more infrequent and less predictable mode of transport, the buses, continues. The JamCams feeding the public live traffic updates have been also paused, but they continue to serve the road management nerve centre at Palestra, allowing traffic lights and other surface operations to be managed as normal.
A potentially bigger issue is developing for those who now cannot apply for discount Oyster photocards, including children’s Zip cards and the 60+ pass. Although TfL has advised bus drivers to allow children to travel free without current ID, there is no solution for older children travelling alone to swipe in to the tube network for the discounted fares.
With a 95p flat tube fare for 10-15-year-olds, travelling at full adult rate could, for a child regularly travelling to school, add up to hundreds of pounds extra by Christmas. TfL has postponed the yearly address checks for travel cards for older people, but the inability to apply for Oyster 60+ photocards will have, after three weeks, seen thousands of people newly eligible for free travel taking a financial hit.
TfL has told customers unable to apply to keep a record of any fares paid, saying that it “may” be able to refund passengers once the cybersecurity incident has been resolved.
No one at TfL has yet put a date on the return of all systems. Parents have been told that expired cards for younger children can be used until at least the end of October – the earliest date to plough through the backlog and send out new passes if the portal is quickly fixed.
For staff, the ongoing effect of the hack is extra daily frustration: many staff are having to work from home, with limited or no access to some servers and databases while the IT investigation continues.
Another slow-burning but potentially costly problem is that development and engineering is hampered. The most obvious example has been the enforced delay to the long-planned rollout of pay-as-you-go contactless travel to 47 railway stations outside London, meaning commuters still require separate national rail passes or tickets.
While TfL insists there are sufficient workarounds or hard copies of documents to allow projects to continue, third-party contractors and even staff are shut out of certain systems – slowing the pace of work at a moment when the mayor, Sadiq Khan, with the backing of a new Labour government is trying to ramp up the pace of citywide development, with transport at the heart of it.
All 27,000 employees will, at some point, also have to go to Palestra House, TfL’s Southwark HQ, to have their passwords changed and digital identities recertified.
TfL said there is “absolutely no indication that this cybersecurity incident was carried out by someone physically within one of our buildings”, and that the attack was conducted entirely remotely. Neither, despite allegations from some outside parties that TfL ignored warnings that its systems were vulnerable, is it thought the hack came through any previously identified insecurity.
The TfL breach follows attacks on a number of public institutions and firms, from the British Library and Hackney council to Royal Mail and indeed the Guardian, as local government expert Prof Tony Travers, of LSE London, noted. He said: “As with all hacks, the organisations concerned have to tread a careful path to warn people and say that they are dealing with the problem – but not so open and explicit as to alarm them or to encourage other bad actors.”
However, it is understood that there is recognition internally that investment in TfL’s systems is overdue. But money is tight at the transport authority, which had seen three rounds of cuts and redundancies – known internally as “transformations” – in the decade since 2010, even before the pandemic battered its finances further.
TfL says it can now break even again without an operating grant – a £700m annual subsidy extinguished by the Conservatives in 2015 – although, reliant more than any other major city on fragile fare income, it needs support for capital investment. The prime exhibit looked like the ancient Bakerloo line underground trains, trundling along like Trabants from 1973; now, thanks to the hack, other creaking parts are coming to the surface.