Police have arrested a teenager from Walsall in connection with the cyber-attack on Transport for London, as TfL said it had discovered thousands of customers’ details had potentially been breached.
The National Crime Agency said the 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack launched on TfL’s systems on Sunday 1 September.
The teenager was arrested on Thursday last week and released on bail after questioning by NCA officers.
The NCA deputy director, Paul Foster, the head of the agency’s cybercrime unit, said: “We have been working at pace to support Transport for London after a cyber-attack on their network, and to identify the criminal actors responsible.
“Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.
“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing.”
TfL said it was contacting about 5,000 customers as a precaution to warn that their email and bank account details could have been accessed. It is understood to relate to those who had applied for refunds on journeys made using Oyster cards.
It said the cyber-attack would also hold up the rollout of contactless travel to dozens of railway stations around south-east England, which had been due to allow commuters to travel ticket-free into London from 22 September.
Shashi Verma, TfL’s chief technology officer, said a thorough investigation was continuing in tandem with the NCA and the National Cyber Security Centre.
Verma added: “Although there has been very little impact on our customers so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details. Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers.
“We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.”
All TfL staff will have to report to have to report to its HQ in Southwark to reset their digital identities for email access. TfL said the all-staff IT identity check would be done on appointments in the coming week and it did not expect any significant impact to customer journeys.
Verma said the measures meant it was now not possible for TfL to carry out planned system changes to allow another 47 rail stations to operate pay-as-you-go contactless travel later this month, but it was working with government and the rail industry to reschedule.
The attack has affected live data feeds serving travel apps such as Citymapper and TfL Go, but public transport services have been running as normal and not directly affected. Many TfL office staff have been asked to work from home.
It has stopped customers accessing information including journey history and photocard registration as part of measures to tackle the breach.
TfL said no ransom demand had been made in the attack.