Recent searches
Search options
Apparently Transport for London are dealing with a cyber security incident.
It’s buried on their website, not on the front page or news sections, and has no date on it. https://tfl.gov.uk/campaign/cyber-security-incident
HT @joshbal4
Orgs, you probably don’t want to email a million people at 6.30pm saying ‘whoopsie we have a happy little cyber incident’ with no actionable info as it will just spark concern and leave an information void for people to fill themselves.
Transport for London has set the contactless sign in link to Maintenance mode.
Transport for London have a genuine internal security incident running and are reverting to paper processes. #threatintel
Transport for London have shut down outbound internet access and restricted systems inbound, eg they have cut off some Netscaler VPNs but left up others for home users.
They appear to be doing a containment. Unclear if ransomware so far as haven’t had time to crawl network traffic.. but it’s the containment steps you take for ransomware and extortion groups.
Looked into this, the TfL API server for tube data is down (has been for about a day)
The Transport for London cyber incident is still ongoing.
The attackers got onto the corporate network, which is currently contained for recovery.
The operational (ICS) network wasn’t reached so services to customers continue uninterrupted.
Boundary internet services often offline, VPN restricted to home users, ERP systems, API systems etc offline.
If anybody is interested, the Transport for London cyber incident is still ongoing 3 days later - systems remain contained.
Two of the systems shut down 
https://beta.shodan.io/host/195.40.85.10
If anybody is wondering, Transport for London are still in containment 5 days in.
APIs, ERP etc still offline.
Update on Transport for London incident.
I can see prior traffic from their network to a crimeware group. #tfl #threatintel
Transport for London are still in containment phase, 7 days into their cyber incident.
Hopefully it focuses minds on boards who believe large scale cyber incidents can be resolved in a day. #tfl #threatintel
Day 9 of the Transport for London cyber incident
Two updates
- I’ve confirmed they’re still in containment phase, and internal services and API remain down.
- @zackwhittaker has an excellent spot - they’ve removed the statement about no evidence of customer data exfiltration, and then not commented when asked about it. https://techcrunch.com/2024/09/10/londons-transit-agency-drops-claim-it-has-no-evidence-of-customer-data-theft-after-hack/
Transport for London tell me they have identified data exfiltration of customer names, contact details, email addresses, and - in a small number of cases - bank account numbers and sort codes.
They are still in containment phase. #tfl #threatintel
The NCA have arrested a teenager over the Transport for London hack HT @mattburgess #tfl #threatintel
For any press covering the #TfL hack - the 5000 bank accounts is separate to the customer names, emails and home addresses bit.
TfL didn't say how many people's details overall were accessed.
One of the things TfL have done in their containment phase is locked their IT staff's accounts, who aren't working on recovery -- and they're working to manually reauthenticate who their staff are, i.e. check their identities.
In entirely unrelated (
) news, teenagers in LAPSUS$ and Scattered Spider often obtain access by calling up the helpdesk and saying they've lost their phone for MFA and/or forgot their password. Your containment playbooks should include stripping MFA devices.
Transport for London latest - they are resetting the login and MFA details for 30,000 employees in person, accounts are locked. #TfL #threatintel
The #TfL queue to get account access back is out the buildings and down the roads #threatintel
FWIW I’ve heard the TfL incident is Scattered Spider again, in a surprise to nobody - ie teens phoning helpdesks to gain access. #TfL #threatintel
Btw, I think Transport for London have done a really good job containing this. It would have been much worse, one suspects, had they not.
It sucks for staff but they prioritised customer service (i.e. transport) and safety over short term recovery, and that is very likely the correct pivot. I've seen these things go the opposite direct when orgs under react and it often ends really poorly.
Message from head of Transport for London to staff about their cyber incident, sent out to staff via WhatsApp. #tfl #threatintel
Transport for London on if this was a ransomware or extortion group: “It is not appropriate to comment on this while the investigation is ongoing.”
Transport for London say they have completed containment stage of their cyber incident and are on their way through recovery. #tfl #threatintel
@GossiTheDog do you have a credible link to information about hat your post is about.
@GossiTheDog is it just me or is there no sound?
@meatlotion @GossiTheDog it’s an animated GIF, which cannot have audio
| R.I.P Natenom @GossiTheDog: Sounds like an invitation for a phishing campaign. 
@GossiTheDog As soon as I heard that a teenager from Walsall has been arrested for this, I started the countdown to the attack being described as "sophisticated"
@GossiTheDog not too quickly though, I got caught on a box junction a few days ago...
@GossiTheDog 45 days and still recovering. Don't always realise it is that long
@GossiTheDog You've already ruled out mass incompetence?