TfL Cyber Security Incident

markle · 18 Oct 2024

deleted

RailUK Forums

miklcct · 18 Oct 2024

There is a handwritten notice at an Elizabeth line station saying that holders of expired 16+ Oyster cards are not entitled to free travel, and can ask for a refund for the fares paid after getting a new 16+ Oyster card.

jumble · 18 Oct 2024

miklcct said:
There is a handwritten notice at an Elizabeth line station saying that holders of expired 16+ Oyster cards are not entitled to free travel, and can ask for a refund for the fares paid after getting a new 16+ Oyster card.

Confirmed as being correct by TFL Website

Oyster photocard website currently unavailable

Information about our maintenance work on the Oyster photocard website

tfl.gov.uk

16+ Zip Oyster photocard16+ Zip Oyster photocards are for children aged 16-18 and expire in the year of a pass holders 18th birthday. Expired photocards will not be accepted beyond their expiry date. If your card has expired, you should use an alternative payment method for your travel.

MikeWh · 18 Oct 2024

Although the hand written notice is not quite correct because it won't be a 16+ Oyster that is eventually purchased, rather a Student or Apprentice Oyster card.

miklcct · 20 Oct 2024

markle said:
For some people this is a material impact on their budgets, and the promise of future reimbursement doesn't fix more immediate personal cashflow issues.

How hard is it to obtain a credit line for this issue with the expectation that money will be recovered from TfL in the future?

redreni · 20 Oct 2024

miklcct said:
How hard is it to obtain a credit line for this issue with the expectation that money will be recovered from TfL in the future?

Very easy if you don't need to. Potentially rather difficult, costly and risky if you do.

Why should we accept that people have to go into debt because it turned out TfL couldn't be trusted to safeguard the massive amounts of personal data it went out of its way to insist on collecting and processing?

ThameslinkUser · 20 Oct 2024

redreni said:
it went out of its way

I'm intrigued as to how you came to this conclusion with regards to highly rewarding concessionary cards at risk of fraud. May you expand please?

redreni · 20 Oct 2024

We don't know if that's the personal data that was compromised, though, do we? I can only speak about the totality of personal data TfL holds and processes, which is of course absolutely enormous. TfL has very much led the way over the years when it comes to collecting personal data while collecting fares - I don't say this is unreservedly bad but I do take account of the fact TfL didn't have to have such a massive amount of personal data under its control when judging them for failing to protect some of it.

I agree collecting personal data from people wanting concessions is pretty standard and not something to be held against TfL, but as I say that's doesn't necessarily have anything to do with TfL's current inability to issue concessionary oyster photocards

signed · 20 Oct 2024

redreni said:
We don't know if that's the personal data that was compromised, though, do we?

If that would have been the case, they have 72h from discovery to inform both the impacted and the ICO (information Commissioners Office) of the breach.

Everything is (very) slowly getting back up so unless it's found later, it's not impacted personal data

ThameslinkUser · 20 Oct 2024

redreni said:
We don't know if that's the personal data that was compromised, though, do we?

We know that it isn't as they said it was the Oyster refund data.

TfL provides update on ongoing cyber security incident - 12 September

tfl.gov.uk

'Although there has been very little impact on our customer so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details (including email addresses and home addresses where provided).

'Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers. As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.

You still haven't mentioned that they went "out of their way". I invite you to expand on that part alone.

miklcct · 21 Oct 2024

bakerstreet said:
Oyster app and website won’t allow Oyster top ups

I’m writing this in here, but I’m not sure if it’s connected to the original incident.

I tried to top up my Oyster today on both the TfL app and the website.

Payments were taken and then immediately sent back.

My bank confirmed it is not them rejecting the payments, TfL systems are refusing them.

The Oyster helpline confirms they are currently having an issue where nothing can be done to add credit to an Oyster card online.
Everything must be done in person at a railway/tube station (they did not mention local agents)

I can’t even set up for my Oyster to auto top up.

I now have four pending payments on my banking app (which I know - hope - will drop off in the next few days).

I have just bought a Travelcard online and the order was processed successfully.

redreni · 21 Oct 2024

ThameslinkUser said:
We know that it isn't as they said it was the Oyster refund data.

TfL provides update on ongoing cyber security incident - 12 September

TfL provides update on ongoing cyber security incident - 12 September

tfl.gov.uk

You still haven't mentioned that they went "out of their way". I invite you to expand on that part alone.

That announcement doesn't say it was only Oyster refund data. It says it was customer names and contact details, then it says Oyster refund data may "also" have been accessed.

As for TfL going out of its way to collect personal data of the type they then lost control of (customer names and contact details), while I am always happy to be challenged on what I say and to be invited to provide evidence or argument to support it, I am a little surprised this would be regarded as contentious.

TfL actively encourages use of PAYG and actively encourages PAYG users to register their oyster or contactless payment cards. Anyone who has tried to do simple things like check their journey history with respect to an unregistered payment card can attest to the strong encouragement to register, including by limiting the availability of information the passenger may want or need if they do not register. They have led the public transport sector in collecting data about passengers and journeys and this includes personal data.

I do not suggest this is inherently bad or that TfL had bad intentions when it did this, but I do take into account that they went out of their way to do it to a much greater extent than was strictly necessary. They began doing it at a time when most other transport operators only collected personal data that was strictly required (such as for monthly or longer season ticket or concessionary pass holders).

If an organisation is hacked and personal data that they were required to hold was compromised, I would be open to the idea that the organisation may deserve our sympathy until and unless it transpires that they didn't take reasonable steps to safeguard the data. I have less sympathy when they were holding massive amounts of personal data that wasn't strictly needed and was only useful because of the way they chose to design their system of collecting the fares.

miklcct · 21 Oct 2024

redreni said:
That announcement doesn't say it was only Oyster refund data. It says it was customer names and contact details, then it says Oyster refund data may "also" have been accessed.

As for TfL going out of its way to collect personal data of the type they then lost control of (customer names and contact details), while I am always happy to be challenged on what I say and to be invited to provide evidence or argument to support it, I am a little surprised this would be regarded as contentious.

TfL actively encourages use of PAYG and actively encourages PAYG users to register their oyster or contactless payment cards. Anyone who has tried to do simple things like check their journey history with respect to an unregistered payment card can attest to the strong encouragement to register, including by limiting the availability of information the passenger may want or need if they do not register. They have led the public transport sector in collecting data about passengers and journeys and this includes personal data.

I do not suggest this is inherently bad or that TfL had bad intentions when it did this, but I do take into account that they went out of their way to do it to a much greater extent than was strictly necessary. They began doing it at a time when most other transport operators only collected personal data that was strictly required (such as for monthly or longer season ticket or concessionary pass holders).

If an organisation is hacked and personal data that they were required to hold was compromised, I would be open to the idea that the organisation may deserve our sympathy until and unless it transpires that they didn't take reasonable steps to safeguard the data. I have less sympathy when they were holding massive amounts of personal data that wasn't strictly needed and was only useful because of the way they chose to design their system of collecting the fares.

In other contactless PAYG systems, like OV Pay, checking journey history online is done by means of a reference code on the bank statement. Absolutely no personal data is needed.

Tetchytyke · 21 Oct 2024

miklcct said:
In other contactless PAYG systems, like OV Pay, checking journey history online is done by means of a reference code on the bank statement. Absolutely no personal data is needed.

That is personal data too- it links the bank account owner with the traveller.

Many financial institutions use exactly that method- a code on a bank statement- to prove ownership of the bank account.

miklcct · 21 Oct 2024

Tetchytyke said:
That is personal data too- it links the bank account owner with the traveller.

Many financial institutions use exactly that method- a code on a bank statement- to prove ownership of the bank account.

The transport company, in this case, does not even know who the bank account owner is. What the transport company has is a token of the bank account, similar to just having an address without a name.

However, if a customer contacts the customer service, then it becomes personal data because the name will then be known and can be linked to the token.

Recessio · 21 Oct 2024

miklcct said:
In other contactless PAYG systems, like OV Pay, checking journey history online is done by means of a reference code on the bank statement. Absolutely no personal data is needed.

And as someone who just had to look up thirty separate OVPay statements to expense them, it was a complete pain in the backside. Much easier to just log into Oyster and see it there in one go.

35B · 21 Oct 2024

redreni said:
That announcement doesn't say it was only Oyster refund data. It says it was customer names and contact details, then it says Oyster refund data may "also" have been accessed.

As for TfL going out of its way to collect personal data of the type they then lost control of (customer names and contact details), while I am always happy to be challenged on what I say and to be invited to provide evidence or argument to support it, I am a little surprised this would be regarded as contentious.

TfL actively encourages use of PAYG and actively encourages PAYG users to register their oyster or contactless payment cards. Anyone who has tried to do simple things like check their journey history with respect to an unregistered payment card can attest to the strong encouragement to register, including by limiting the availability of information the passenger may want or need if they do not register. They have led the public transport sector in collecting data about passengers and journeys and this includes personal data.

I do not suggest this is inherently bad or that TfL had bad intentions when it did this, but I do take into account that they went out of their way to do it to a much greater extent than was strictly necessary. They began doing it at a time when most other transport operators only collected personal data that was strictly required (such as for monthly or longer season ticket or concessionary pass holders).

If an organisation is hacked and personal data that they were required to hold was compromised, I would be open to the idea that the organisation may deserve our sympathy until and unless it transpires that they didn't take reasonable steps to safeguard the data. I have less sympathy when they were holding massive amounts of personal data that wasn't strictly needed and was only useful because of the way they chose to design their system of collecting the fares.

It is strictly necessary, because people like me who like to know how our money is being used will insist on having receipts - and account registration is how you make that work.

Working within the industry, and having seen what it is like working around a major incident, I have every sympathy for the staff involved. My sympathy, or not, for the organisation is about the quality of the cyber defences involved and whether TfL did what was reasonable*, or relied on good luck and that luck ran out. The identity of the perpetrator is almost irrelevant to that - as is their age.

* - a reminder, no security is absolute and guaranteed to succeed.

redreni · 21 Oct 2024

35B said:
It is strictly necessary, because people like me who like to know how our money is being used will insist on having receipts - and account registration is how you make that work.

Working within the industry, and having seen what it is like working around a major incident, I have every sympathy for the staff involved. My sympathy, or not, for the organisation is about the quality of the cyber defences involved and whether TfL did what was reasonable*, or relied on good luck and that luck ran out. The identity of the perpetrator is almost irrelevant to that - as is their age.

* - a reminder, no security is absolute and guaranteed to succeed.

Yes I agree any lack of sympathy for the organisation doesn't mean individuals dealing with this don't deserve sympathy.

I also have sympathy for those in further or higher education who have to extend a line of credit to TfL through absolutely no fault of their own, whether or not they are able to do so. Even if they can obtain credit on commercial terms, they shouldn't have to borrow that money simply in order to loan it to TfL. If they do so then that's money they can't borrow and use for any other purpose.

35B · 21 Oct 2024

redreni said:
Yes I agree any lack of sympathy for the organisation doesn't mean individuals dealing with this don't deserve sympathy.

I also have sympathy for those in further or higher education who have to extend a line of credit to TfL through absolutely no fault of their own, whether or not they are able to do so. Even if they can obtain credit on commercial terms, they shouldn't have to borrow that money simply in order to loan it to TfL. If they do so then that's money they can't borrow and use for any other purpose.

I quite agree. But that is about how TfL make matters good in the aftermath - it does not extend to the same degree of culpability that you propose for TfL as an organisation.

eta · 23 Oct 2024

After nearly two months of no service, it seems like TfL have managed to bring their Trackernet feeds back! They don't seem to have made any formal announcement about it yet, but I'm sure that'll come in due course.

For the uninitiated, these are what power live Tube data on their own website, as well as live times through things like Citymapper and my very own intertube. It started working again at around 6pm, and indeed checking up on various apps it looks like everything's returned to normal!

I wonder whether they'll end up releasing a detailed report on what went wrong, and how it took them so long to get everything back up and running -- it's not been fun doing journey planning without live data, and I know my journeys have been worse off for it!

ThameslinkUser · 23 Oct 2024

Fantastic news

Peter Mugridge · 23 Oct 2024

That's excellent, and it must have been in the last few hours - I last checked Intertube around 17.00 this evening and it was still down - definitely showing everything now...

...and just in time to detail a suspension of the Bakerloo because a train has failed at Piccadilly Circus ( appears to be units 3232 + 3456 on diagram 010 ).

35B · 24 Oct 2024

eta said:
After nearly two months of no service, it seems like TfL have managed to bring their Trackernet feeds back! They don't seem to have made any formal announcement about it yet, but I'm sure that'll come in due course.

For the uninitiated, these are what power live Tube data on their own website, as well as live times through things like Citymapper and my very own intertube. It started working again at around 6pm, and indeed checking up on various apps it looks like everything's returned to normal!

I wonder whether they'll end up releasing a detailed report on what went wrong, and how it took them so long to get everything back up and running -- it's not been fun doing journey planning without live data, and I know my journeys have been worse off for it!

I suspect that any report released to the public will be quite anodyne, as the information about recovery would be of use to anyone with more malign intent in future as it would inform reverse engineering of TfL’s IT architecture.

Recessio · 24 Oct 2024

Oyster login, top up and journey history appear to be working again. Photocard is still down though.

Goldfish62 · 24 Oct 2024

I'm told that a significant number of bus routes will disappear off live tracking next week due to operators implementing school holiday schedules for half-term. Several routes already don't track due to schedule changes being implemented since the cyber attack, eg 290, E8, W9.

Mojo · 24 Oct 2024

Recessio said:
Oyster login, top up and journey history appear to be working again. Photocard is still down though.

l didn’t think this ever went down (apart from planned works) - l certainly have used it multiple times since the start of September.

island · 24 Oct 2024

Mojo said:
l didn’t think this ever went down (apart from planned works) - l certainly have used it multiple times since the start of September.

Indeed, although the default login portal was unusable and you had to go in a different way.

NorthLondoner · 24 Oct 2024

Does anyone know when routes such as the W9, E8 and the 290 should be tracking again?

Goldfish62 · 24 Oct 2024

NorthLondoner said:
Does anyone know when routes such as the W9, E8 and the 290 should be tracking again?

I'm told mid-ish November. Things are going to get worse before they get better.

Edvid · 24 Oct 2024

Acceptance of expired 5-10 / 11-15 Zip cards has been extended to 31 December.

Cyber security incident in September 2024

Keep up to date on the latest investigations into the cyber security incident and our response

tfl.gov.uk

TfL Cyber Security Incident

Member

RailUK Forums

On Moderation

Attachments

Established Member

Established Member

On Moderation

Established Member

Member

Established Member

Established Member

Member

On Moderation

Established Member

On Moderation

Veteran Member

On Moderation

Member

Established Member

Established Member

Established Member

Member

Member

Veteran Member

Established Member

Member

Veteran Member

Forum Staff

Veteran Member

Member

Veteran Member

Established Member