Transport for London (TfL) has directed all employees to attend in-person sessions to confirm their identities and reset passwords following a cybersecurity breach. The incident has led to significant measures to secure the organisation’s systems and data. TfL, which operates London’s transport network, has a workforce of nearly 30,000.
The cyberattack was first disclosed to the public on 2 September, with TfL stating at the time that there was no evidence customer data had been compromised. While the breach did not affect transport services, it caused disruptions to internal systems and online platforms, impacting TfL’s capacity to process customer refunds.
As of last Friday, employees were still dealing with system outages and disruptions, affecting their ability to address customer queries and manage refunds for contactless journeys.
TfL’s shifting narrative on breach
Last week, TfL updated its incident status, indicating that customer data, such as names, contact details, and addresses, had been accessed during the attack. Following the breach, the UK’s National Crime Agency (NCA) arrested a 17-year-old from Walsall who is suspected of involvement in the attack. The teenager was released on bail after questioning.
TfL informed its employees that ongoing issues were continuing after the cyberattack and that the organisation is conducting a full system reset. This process means all staff will temporarily lose access to their OneLondon accounts. TfL has created a dedicated hub to provide updates and guidance for employees on managing the situation.
Shashi Verma, TfL’s chief technology officer (CTO), told the Evening Standard that the organisation is working with the NCA, the National Cyber Security Centre (NCSC), and other specialists to handle the incident and strengthen protection measures.
Verma explained that some colleague and customer data had been accessed, noting that employee data accessed appears to be limited to directory details like TfL email addresses, job titles, and employee numbers. There is no evidence so far to suggest that more sensitive information, such as bank details, birth dates, or home addresses, has been compromised.
The CTO also clarified that, based on advice from cybersecurity specialists, all OneLondon accounts have been deliberately reset. This action requires employees to verify their identities in person to regain access to their accounts.
TfL’s employees have been advised to stay alert against potential cyber threats, such as phishing attempts, to secure their devices, and to use multi-factor authentication and strong passwords to protect themselves and the organisation.
Due to the disruption caused by the breach, TfL has requested bus drivers to allow children to travel without a valid Zip Oyster card, as the organisation is currently unable to process new applications for photocards like the Zip card and 60+ Oyster because of the suspension of back-office systems.
When asked about the timeframe for restoring TfL’s website to full functionality, Verma told the Evening Standard that he could not provide a specific estimate. “I can’t answer that question,” he said. “It’s been all hands to the pump to get to this point.”
TfL also reported that the bank account numbers and sort codes of approximately 5,000 customers could have been accessed by hackers during the cyberattack. Furthermore, the personal information of some of the six million individuals who have provided their email or home addresses to TfL over the past 18 years may also have been compromised.