The British Transport Police (BTP) have arrested an individual in connection with an investigation into a cyber attack that disrupted public Wi-Fi services at major UK railway stations on the evening of Wednesday, September 25.
The incident left passengers at 19 railway stations across the country unable to access Network Rail’s Wi-Fi network, managed by communications service provider Telent. Instead, users received racist and Islamophobic messages on their devices.
On Thursday, September 26, Telent reported that the disturbance resulted from an unauthorized alteration to its landing page and that it was collaborating with Global Reach, the service provider, to delve deeper into the issue.
Following the investigation, BTP detained a man, whose identity has not been disclosed, on suspicion of orchestrating the attack. A spokesperson for the police mentioned that the cyber incident appeared to originate from within the organization, labeling the individual as a “malicious insider.”
“The individual is an employee of Global Reach Technology, which provides certain Wi-Fi services to Network Rail. He has been arrested under the Computer Misuse Act 1990 and the Malicious Communications Act 1988,” the spokesperson explained. “Officers received reports shortly after 5 PM on September 25 regarding a breach of Wi-Fi services at railway stations displaying Islamophobic content. The misuse was limited to the defacement of splash pages, and there is no indication that personal data has been compromised.”
In an update to their previous statement, Telent confirmed: “The incident was an act of cyber vandalism originating from within the Global Reach network and not due to a network security breach or technical failure. We aim to restore public Wi-Fi services by this weekend. Telent continues to collaborate with Network Rail, Global Reach, and the British Transport Police to resolve this issue.”
Regarding the insider threat, the cyber attack had earlier sparked speculation among some online security observers that Network Rail was targeted by a supply chain attack, potentially orchestrated by a nation-state against the UK’s critical rail infrastructure. However, this appears not to be the case. The possibility of an insider being responsible is likely to be concerning for both Global Reach and Telent, as well as their downstream clients, including Network Rail.
Many insider threats are posed by current or former employees who may harbor grievances, though some may act as moles engaged in industrial or state-sponsored espionage. Additionally, there are instances where such actors are accidental threats; they may simply make a mistake or fail to adhere to internal security protocols, thus enabling access for external cyber criminals.
The risks presented by these individuals are often hard to detect and can vary significantly. The ramifications of their actions can be severe, including data breaches, fraud, intellectual property theft, and damage to IT systems, not to mention the significant embarrassment and distress caused, as evidenced by the incident involving Network Rail.