Transport for London doesn't know when it will recover from 'very sophisticated' cyber attack, admits tech chief
Listen here on your chosen podcast platform.
Transport for London does not know how long it will take to recover from a “very sophisticated and direct” cyber attack, its chief technology officer has admitted.
Shashi Verma, speaking to the Evening Standard on Friday, said the capital’s public transport organisation had “all hands to the pump”, with about 2,000 staff working to remedy the hack on its computer systems.
As an interim measure, TfL is asking bus drivers not to refuse to allow children to travel for free if they do not possess a valid Zip Oyster card.
Due to TfL having “disconnected” much of its “back office” computer systems to halt the attack, it is currently unable to accept new applications for photocards such as the Zip card, which gives free bus travel for children and teenagers and cheaper “child” fares on the Tube, and 60+ Oyster used by older Londoners.
A 17-year-old teenager was revealed on Thursday to have been arrested in Walsall by the National Crime Agency a week earlier, on September 5, in connection with the cyber attack on TfL on September 1.
Mr Verma, asked by the Standard how long it would take TfL to get its website fully operational, said: “I can’t answer that question. It’s been all hands to the pump to get to this point.”
It came as NHS England’s London region announced on Friday that two of the capital’s biggest hospital trusts, Guy’s and St Thomas’ and King’s College Hospital, continue to have to postpone appointments 14 weeks after a ransomware cyber attack on pathology services provider Synnovis.
On Thursday, TfL revealed that about 5,000 customers may have had bank account numbers and sort codes exposed to the hackers.
In addition, an unknown number of the six million people who have shared their email or home address with TfL over the last 18 years may have had this exposed to the hackers.
Mr Verma said TfL would be contacting the 5,000 people directly “very soon” to explain that they may have been at risk.
However he said: “I don’t want anyone to get alarmed. Having just a bank account sort code and account number is not enough to conduct financial fraud.”
TfL warned Londoners to be aware that fraudsters could look to capitalise on the hack and to be wary of any emails or text messages that may be sent as part of a “phishing” scam. It said it would never ask customers for bank details in its communications.
Mr Verma said in relation to the hackers: “Let’s not give these guys more credit than they’re due. They’re attacking people who are also very clever. There has been some disruption, but mainly because of the actions we took to defend ourselves.
“These guys have not been able to do any damage themselves. They have not been able to bring the Tube down or bring the bus network down or steal credit card data.”
TfL remains in the dark as to why it was targeted on September 1. Hacking activity was detected on September 2 and 3 but there has been nothing since then.
“They have not made any demands of us,” Mr Verma said. “We have not paid any ransom. We don’t know the motives.”
The fact that about 5,000 people had their bank details exposed to the hackers came to light earlier this week.
Arguably the biggest impact has been on TfL’s own staff – which then limits their ability to interact with passengers and respond to requests.
All 30,000 staff are having to queue at TfL offices to validate their identity and obtain a new password to log b ack into the TfL computer system.
Asked about rumours that the hack may have been an “inside job” or assisted by a rogue employee, Mr Verma said: “We have not found evidence of that so far.”
Due to the restrictions TfL has imposed on its own website, there is no live Tube arrival information, including on the TfL Go app. In addition, passengers who use Contactless bank cards to travel cannot access their journey history.
Passengers who have to pay higher fares due to being unable to access reduced-price travel will be able to apply for refunds once full functionality is restored to the TfL website.