Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Transport for London has warned that some customer data has been accessed in a cyber security breach, including potentially the bank details of thousands of its passengers.
London’s transport authority said it first identified “suspicious activity” on September 1, and has since discovered that “certain customer data has been accessed”, including some names and contact details.
Bank details of up to 5,000 passengers could also have been accessed through refund data from its Oyster contactless payment system, TfL added.
A 17-year-old boy was arrested in Walsall earlier this month as part of the investigation into the incident affecting TfL, the National Crime Agency said in a separate statement on Thursday.
The boy was detained on suspicion of Computer Misuse Act offences in relation to the attack, and has been bailed.
“Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems,” Paul Foster, head of the NCA’s National Cyber Crime Unit, said.
TfL, a local government body, runs the city’s transport network, including London Underground, buses, some rail services and trams. It is also responsible for major roads in the city.
TfL said it is working with the National Crime Agency and National Cyber Security Centre to conduct an investigation into the breach, and that it has “taken access to limit access” to its systems.
“Although there has been very little impact on our customers so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed,” Shashi Verma, TfL’s chief technology officer, said.
“I would like to apologise for the inconvenience this incident may cause customers and I thank everyone for their patience,” she added.
The cyber attack has not affected passenger services, but TfL has been forced to limit live train and bus data sent to some travel apps, as well as restrict some online services including access to customers’ journey history.
It has also postponed plans to fit contactless payment readers to 47 stations outside London, which was due to be completed on 22 September.