Tuesday, December 3, 2024

Cyber Attack on TfL Disrupts Dial-a-Ride Service

Dial-a-Ride, the complimentary door-to-door transit service for individuals with disabilities operated by Transport for London (TfL), was compelled to briefly halt new booking requests due to an ongoing cyber attack affecting TfL’s IT infrastructure.

Reports indicate that this incident, the details of which TfL has not fully disclosed beyond a brief media statement, has resulted in Dial-a-Ride staff facing restricted access to certain IT systems and email. Consequently, the service experienced significant delays in handling incoming requests, prompting TfL to suspend new bookings.

A spokesperson for TfL confirmed the temporary suspension of the service but informed Computer Weekly that operations have since resumed. “Due to the internal measures we implemented in response to the cyber security incident, the Dial-a-Ride booking system was temporarily offline, although existing bookings continued to be honored. We are now able to process essential bookings and expect the situation to improve throughout the day,” they stated.

Dial-a-Ride is specifically designed for those with permanent or long-term disabilities that prevent them from using public transport options such as buses, the Underground, or surface rail. The service offers flexible transportation solutions for crucial local travel across the 32 boroughs of Greater London, operating a fleet of minibuses that function more akin to communal taxis. Drivers are trained to assist passengers as needed, including helping them board or alight from the vehicle.

Fortunately, the broader cyber attack has not disrupted TfL’s regular operations on the bus network, the Underground, or any other services. The organization has previously indicated that there is no evidence to suggest a compromise of passenger data. However, the incident appears to be affecting passenger logins for contactless and Oyster payment accounts, as well as some application programming interfaces (APIs) used by third-party services, such as Citymapper.

The incident is believed to have begun around Monday, September 2, with TfL collaborating with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to mitigate its effects. In a statement on Monday, TfL’s Chief Technology Officer, Shashi Verma, emphasized the importance of safeguarding their systems and customer data, assuring that they would continue to evaluate the situation during and after the incident.

Remaining tight-lipped about the specifics of the situation, TfL has not disclosed the exact cause of the attack, although The Register previously reported that a vulnerability in network appliances might have been the initial breach point leading to the incident. The indication that staff had limited access to certain systems, combined with findings by external researcher Kevin Beaumont regarding restricted network availability, suggests that TfL may be responding to a ransomware threat.

Mark Robertson, Chief Research Officer at AcumenCyber, a managed security services provider, noted, “Employees being locked out of systems is often one of the primary consequences of ransomware attacks. However, without a more detailed update from TfL, we cannot definitively determine the nature of the incident they’re facing or its perpetrators.” He expressed relief that Tube services are operating normally, indicating that TfL has managed to prevent the incident from significantly impacting operations, which could have paralyzed the entire capital. This situation also suggests that TfL had already made incident response planning a priority to prepare for and limit the impact of cyber attacks.