"An utter shitshow": Inside the Transport for London cyberattack
A special edition of London Centric looking at what's gone wrong at Transport for London — and whether the disaster recovery is as positive as they say.
It’s almost two months since Transport for London’s systems were hacked and many Londoners are still experiencing major disruption to their lives as a result. Although operational systems were largely unaffected by the cyberattack, meaning tube and bus services have continued to run, one senior TfL executive told London Centric that behind the scenes it has been “an utter shitshow”.
As many as a million holders of discount travel cards, a system that is set up to help the cities’ most financially stretched people, have been affected. Hundreds of thousands of Londoners are being overcharged for travel, while London Centric spoke to one teenager who is having to skip meals because of cashflow issues brought on by the cyberattack.
With only limited information released to the public about the ongoing impact, TfL has sought to portray its response as “well-managed”. Details of the hack has been tightly controlled and even London’s politicians, who are supposed to have oversight of TfL, have been told few details about the incident.
Now, an investigation by London Centric can reveal:
TfL was targeted by an additional wave of previously unreported attempted cyberattacks in the aftermath of the initial incident, as hackers rushed to exploit weaknesses in London’s critical infrastructure.
There is no indication that police are seeking any suspects other than a 17-year-old male arrested four days after the cyberattack in Walsall, near Birmingham.
Cybersecurity experts claim TfL’s software may have not been up to scratch, with some public-facing systems coded to be compatible with long-defunct browsers such as Internet Explorer 6.
Sadiq Khan’s office and the Greater London Authority outsourced their IT services to TfL this summer, meaning they were also badly impacted, paralysing services at the top of the capital’s devolved government.
Teenagers entitled to free travel are being asked to keep a record of their journeys and reclaim the cost from TfL at an unknown later date, essentially asking the capital’s young people to stump up interest-free loans worth millions of pounds.
Small businesses have been left out of pocket due to late payment of invoices.
There is an expectation among TfL staff that millions of pounds of overcharged fares may never be reclaimed by passengers.
Subscribers to Santander Cycles have been left with hundreds of pounds in wrongly-applied fines, with no ability to access refunds or use their accounts for the service.
London Centric is offering a new sort of in-depth original journalism about the capital. There are no oligarchs involved in funding this publication and the ability to carry out investigations relies on readers who are willing to support independent journalism.
Earlier this month Andy Lord, the boss of Transport for London, sat down at a scheduled board meeting and praised his organisation’s response to a “highly sophisticated” cyberattack, which began with reports of “suspicious activity” on Sunday 1st September.
“The vast majority of Londoners would not know this attack has happened,” the TfL commissioner told board members including mayor Sadiq Khan. Lord later added: “Because it’s been so well-managed people didn’t understand the scale and impact.”
One person who has definitely noticed the scale and the impact is Melford, a 16-year-old student at Havering Sixth Form College in east London. He told London Centric he has been walking miles to college every morning and skipping meals because the cyberattack removed TfL’s ability to issue him a new discount travel card — and stopped him spending the money he had already loaded on his old Oyster card.
Melford said he has simply run out of cash due to TfL’s failings: “My budget was perfectly set for travel and food during the week but this month has been unbearable. I’ve been way over budget and have had to cut out some days when I’d eat in order to make it to school.”
None of the customer-facing damage over the last two months was caused by the actual cyberattack itself. Instead, it was due to TfL voluntarily shutting down many of its operations in a bid to contain the hack. One of the systems that was taken offline was the software used to issue new Zip Oyster cards, which offer discounted travel to hundreds of thousands of young Londoners like Melford. These typically expire at the end of September, in line with the new academic year.
TfL has told station staff and bus drivers to allow anyone with an expired under-16 card to travel, meaning Melford should still be able get around London. He says that these high-level statements to the press do not match up with the reality on the ground, where he has “been denied entry to the trains by workers many times even after explaining my situation”.
“It's been killing me man,” he said.
Do you know more details about the TfL cyberattack? Email or send a WhatsApp in confidence.
Exactly how a key part of London’s critical infrastructure was hacked is still unknown and the subject of live investigations by the National Crime Agency and National Cyber Security Centre.
Four days after the incident a 17-year-old boy in the West Midlands was arrested in connection with potential computer misuse act offences by the National Crime Agency. Sources at TfL told London Centric they did not believe that any other suspects are being actively sought in relation to the incident.
Whoever was responsible, they gained access to software that impacts the everyday lives of millions of Londoners. While cyberattacks on London institutions are a growing fact of life — the British Library and the King’s Cross HQ of the Guardian newspaper have been hit hard in recent years — there is still a sense of embarrassment among some staff at TfL. Several of them blame years of belt-tightening at the organisation in the face of central government funding cuts, despite regular conversations with the security services about how to protect TfL from a sophisticated attack by a nation state.
What has previously been unreported, according to TfL insiders and cybersecurity experts, are the large number additional cyberattacks that the transport service faced in the days and weeks following the initial breach. A spokesperson for TfL confirmed the attempted attacks to London Centric, insisting that “while there were additional incidents post the event, they were all handled by TfL’s existing cyber security protection measures”.
Cyber security expert Chris Kubecka, who has worked on the recovery from major cyberattacks around the world, said criminals and nation states always attempt to rush into a system after an initial hack: “It’s like looting. There’s a bar of gold sitting there in a wrecked building and it’s all open.”
She cast doubts on the quality of firewall software that was deployed by TfL for its systems and showed London Centric how one public-facing TfL system, still live on the internet today, is coded to be compatible with the Internet Explorer 6 browser, software which was last updated in 2008.
“An abnormally long rebuild and the fact they have the old stuff hanging there means there’s still holes in the system that other people could hang out in and use,” she said. “TfL is running outdated software that is still quite vulnerable. I find it difficult to believe they have fully contained the digital damage.”
Publicly, the handling of the immediate aftermath of the attack was a mess. TfL initially put out a statement saying it was confident that no customer data had been compromised, before having to backtrack and admit that the bank details of around 5,000 Oyster card users who had applied for refunds had been accessed, although there is no indication anything was done with this data.
While most Londoners were still able to tap in and use transport services as usual, behind the scenes it was chaos. The booking system for Dial-a-Ride buses, used by the disabled, was also shut down, leaving vulnerable people in the lurch. Data on live tube times — fed into apps such as TfL Go and Citymapper — was taken offline.
Staff at TfL’s HQ were unable to log on to the IT network and the WiFi networks taken down. Office-based staff were sent to work from home for the whole of September, although most have now returned to the office. Every single TfL staff member was required to travel into the office to have their password and login details reset. Even now, many basic office tasks remain a struggle. Rebuilding and restoring these systems is a tedious, time-consuming task.
The biggest financial impact has been on the city’s neediest: the young, the old, and those with issues tapping in and out of stations.
People turning 60 have been unable to apply for Oyster cards giving them free travel. Individuals from all age groups have been unable to apply for legitimate refunds after being charged the maximum fare because they were unable to tap out at the end of a journey. Hundreds of thousands of sixth formers and new university students have been unable to apply for their 16+ Zip Oyster card, with the official TfL guidance being that they should make a note of each full-fare journey then reclaim the difference later in an as-yet-unclear manner.
When talking to London Centric, one TfL staffer involved in the recovery process cast doubt on the idea that every 17-year-old student in London is able to carefully note down their journeys and putting them in a spreadsheet for reclaiming at a later date.
All this points to one of two outcomes. In the best case scenario TfL has inadvertently hit the carefully-balanced budgets of some of the most financially insecure Londoners, essentially asking them for a interest-free loan that will be paid back at some point in the future. In the worst case scenario, the money will never be reclaimed by customers and TfL could end up keeping millions of pounds of fares it should not have earned.
One of those Londoners potentially left out of pocket is Neil Garratt, the leader of the Conservative group in the Greater London Assembly. He was unable to tap out on a commute home recently, and cannot apply for a refund of the maximum £9.90 fare.
He welcomed the decision to allow under-16s to continue to travel on their expired Oyster Zip cards but warned the policy could prove damaging to cash-strapped TfL in the long run, as others use it as an excuse to not pay: “TfL have said they are going to be more lenient with people whose tickets aren’t valid. In a sense that’s a positive form of flexibility. But equally there are people in this world who see these things as a green light to get stuck in. There will have been more fare evasion.”
Other arms of TfL have been hit hard, especially users of Santander Cycles, the rent-by-the-hour bike sharing service still known by many Londoners as Boris Bikes. London Centric reader Tom Adams, who subscribes to the service for his work commute, said he was wrongly charged substantial penalty fares, locked out of his account, and eventually gave up and switched to private sector rival Lime for his daily journey.
Last week he docked his Santander Cycle at a stand but it failed to register, immediately racking up substantial penalty fares that hit £50 a day, up to a total of £300. He phoned the customer service team but they apologetically explained that they could not do anything to stop the charges or refund him, and couldn’t let him use his account until the cyberattack was resolved: “The person on their helpline said it’s been like this for six weeks where effectively they can’t do anything and no visibility on when it will be fixed.”
The total cost of dealing with the cyberattack and making up for lost revenue is expected to hit tens of millions of pounds, according to staff at TfL, who say it has hurt morale and slowed the rollout of improvements to the transport system at a time when money was already tight. The timing is particularly awkward, as Sadiq Khan has already reduced his demands for investment from a Labour government that does not seem to be prioritising spending in the capital.
One of the delayed TfL projects is the plan to roll-out London’s contactless payment technology to the rest of the south east of England, which would have done away with the need for most paper tickets at 47 stations on lines to Sevenoaks, Southend, and Windsor from the end of September. The contract was given to TfL by central government on the basis that the London authority had the expertise and technology to quickly implement it. The hack means that the proposed changes have been delayed indefinitely.
Many small businesses have also found their cashflow impacted by the failure of TfL’s invoicing systems at a time when they are surviving hand-to-mouth as the economy flatlines. Other non-critical projects have also slipped amid the chaos, such as the much-publicised renaming of London Overground lines into six different services such as ‘Windrush line’ and ‘Lioness line’.
A spokesperson for TfL said it is too early to put a figure on total cost of the hack but the combined effect of managing the incident, losing revenue, and delaying projects will be substantial: “These costs are likely to deprive TfL of investment that could otherwise have been invested into the transport network for the benefit of everyone.”
Some staff in parts of TfL that weren’t responsible for cybersecurity said they had been warned there would be no bonuses this year due to the cost of the attack, although a spokesperson said they did not recognise this claim. Others suggested that “deputy heads will roll” over the incident, with two sources singling out chief technology officer Shashi Verma as the man who should take responsibility for an incident.
A spokesperson for the organisation said: “Shashi Verma has led the response to the recent cyber incident, supported by TfL’s cyber security team and TfL’s wider leadership team. This response saw the vast majority of customer services continue to operate unaffected while TfL dealt with the incident.”
One of the previously unreported areas affected by Transport for London’s system shutdown is how it has impacted work at City Hall, the home of the mayor of London and the Greater London Assembly. In a bid to cut costs the contract for their IT network was transferred over to TfL this summer, with one of the stated aims being access to their “sophisticated” cyber defences.
“We can’t book leave, we can’t pay people,” said one despairing City Hall employee. Others said recruitment had been effectively frozen for months due to the collapse of HR systems, meaning important roles were going unfilled due to the failures of their sister organisation.
Garratt, the leader of the London Conservatives, said there would inevitably have to be a thorough appraisal of TfL’s handling of the incident and called on Labour’s Sadiq Khan to give more certainty to Londoners who have been affected by the cyberattack regarding refunds and the extension of free travel.
“TfL have been reluctant to engage in a lesson learned inquiry while it’s still going on,” he said. Garratt, who has a background in IT, said he understood the need to focus on restoring the systems but he had been surprised by how, even in private, TfL were not sharing many details about what gone wrong.
In a bid to mitigate the damage, TfL confirmed on Friday that it would be allowing expired Zip Oyster cards held by 5-15 year olds to be used for travel until the end of the year. This is little help for older students and the 60-year-olds unable to obtain their passes for the first time. They are still being advised to keep records of their overcharged travel and claim it back, a bill which could ultimately reach the tens of millions of pounds if the issue is not resolved soon, according to estimates of TfL subsidies.
A spokesperson for TfL emphasised that “all safety critical systems and processes have been maintained” since the attack began and the focus is now on restoring internal and customer-focussed systems which were “impacted by measures introduced as part of our response”.
They said they hoped that the likes of Melford, the sixth form student going without food due to the cyberattack, would soon be able to apply for a new card and access the balance on his expired Oyster card: “Significant progress has already been made in relation to this, and we hope to begin accepting applications for new concession photocards again, albeit in a phased way, shortly.”
Within the technology world, some people have more sympathy for TfL’s predicament. Daniel Card, a London-based cyber security consultant, said it appeared that its staff “contained and eradicated the threat in a fairly timely manner”. He also said few major organisations have a “utopian” technology set-up and any organisation with TfL’s high profile will likely always be under some form of attack.
Card said there is a moral duty to publicly discuss the cyberattack in due course, so other organisations can learn from TfL’s mistakes and protect themselves: “Given they are an arm’s length organisation to the UK government, and are deemed critical national infrastructure I would expect that in due course there will be more details shared. We know something went wrong, the hows and whys are less clear.”
Yet he warned that the rebuild could affect Londoners well into 2025: “Eight weeks ago in the cyber incident world is a lifetime ago, but for a recovery… it can be just the beginning.”
Have any feedback on this edition of London Centric? Get in touch via email or send a WhatsApp in confidence. If you enjoyed this article, please do send it to someone else who would enjoy it.
It is telling that this story is not in the nationals or on the BBC. Only the human effects of a massive cyberattack, move along, nothing to see. Well done for breaking it
Whilst it is true that supporting IE6 is probably unnecessary in 2024, I don't see why it would be a problem "per se" - it very-much depends on WHAT is being done.
Personally, I'd be much more concerned that they are using a very old version of jQuery - they look to be using jQuery v1.12.4 on the main site, which is from 2016 and has multiple vulnerabilities.