TfL provides update on ongoing cyber security incident - 12 September
TfL today (Thursday 12 September) issued an update in relation to the ongoing cyber security incident that it is managing.
Shashi Verma, TfL's Chief Technology Officer, said:
'The security of our systems and customer data is very important to us. We continually monitor who is accessing our systems to ensure only those authorised can gain access. We identified some suspicious activity on Sunday 1 September and took action to limit access. A thorough investigation continues alongside the National Crime Agency and the National Cyber Security Centre.
'Although there has been very little impact on our customer so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details (including email addresses and home addresses where provided).
'Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers. As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.
'We have notified the Information Commissioner's Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.
'In addition, as part of the measures we have implemented to deal with the cyber incident, we have today put in place additional measures to improve our security. This includes an all-staff IT identity check. Throughout this planned process we have ensured that all safety critical systems and processes have been maintained.
'We do not expect any significant impact to customer journeys as we carry out this process. However, temporary and limited disruption is possible to some services so, as ever, please check before you travel.
'The security measures we are taking mean that it is now not possible for us to deliver the necessary system changes to enable 47 additional stations outside London to benefit from pay as you go with contactless on 22 September as planned. We are working with DfT and the Rail Delivery Group to reschedule and we apologise for the delay.
'We will continue to keep our customers and our staff updated. I would like to apologise for the inconvenience this incident may cause customers and I thank everyone for their patience as we respond to this incident.'
Notes to editors:
- For the latest information on the cyber security incident - visit https://tfl.gov.uk/campaign/cyber-security-incident
- TfL will be contacting around 5,000 customers with regard to bank detail data
- A statement from the National Crime Agency in relation to this incident is available here: https://www.nationalcrimeagency.gov.uk/news
- The Information Commissioner's Office has issued guidance about how to protect your data, which is available here: https://ico.org.uk/for-the-public/identity-theft/
- As set out last week - as part of TfL's response to this incident - it has temporarily restricted access to customer journey history for pay as you go contactless customers, as well as limited access to some live travel data via apps, TfL Go and the TfL website, including next train information and the TfL JamCams
- In addition, TfL has made the decision to temporarily restrict access to the photocard portal, which allows customers to apply for travel concessions, including the Zip Photocard, 16+ and 18+ Photocard and the 60+ Oyster photocard. TfL apologises for any inconvenience that these temporary changes will cause to some customers and are working to bring these back online as quickly as possible
- Customers who are unable to apply for a photocard, should continue making journeys as usual and keep a record of any fares paid. It may be possible to arrange a refund once the incident has been resolved and new photocards are issues
- TfL is currently unable to issue refunds for incomplete pay as you go journeys made using contactless. Oyster customers are able to self-serve online