Transport for London hackathon goes on

Published on 28-10-2024 at 12:28

London Underground train at the platform with doors open ready to depart (TfL) — Is Transport for London an open door for cyber attack? Transport for London

Whether your name is Mr Anderson, or Agent Smith, if you’ve been trying to renew your concessions on Transport for London, and found yourself down a rabbit hole of unavailability – you’re not alone. Take a blue pill and relax, TfL is deep in a matrix of recovery from a long-standing cyber attack.

At the beginning of September, deep in the digital fortress of Transport for London, things started to misbehave. Since then, TfL has been gradually admitting to a wider and wider disruption to its back office systems. It’s been forced to notify thousands of public transport account holders (that’s code for: “people”) that their details have been compromised. The bad news, which may also be the good news: it was a seventeen-year-old school kid what did it. For a laugh, apparently.

From teenage bedroom to criminal courtroom

The trains still run, the Tube is its usual busy self, and the buses turn up at the stops. That trinity of public transport is still its (usually) reliable self. It’s just all been a little less predictable than normal. Some Transport for London apps have been proving less informative. People have been seen doing something quite quaint: referring to a timetable more frequently than usual.

Historic 55 Broadway, up until 2020, the active Transport for London HQ (TfL-Flickr)

We think it’s nearly the end of October, but the truth is, we’re no nearer knowing when Transport for London might fully recover from what it calls a “sophisticated and aggressive” attack on its digital systems. However, much to the relief of the 3.23 million people who get about London every day on cable cars, river buses, and slightly more conventional urban transport solutions, the culprit appears not to be a malevolent foreign actor. That is something of a relief given the dire warnings of such nefarious intentions. Rather, the neo-nemesis of TfL appears to have been a reclusive school-age hacker intent on nothing more than mischief – who may well find himself swapping his bedroom for a prison cell.

Dystopia never seemed so appealing

That mischievous hack is no laughing matter. Many people, around the world, hold one of London’s ubiquitous Oyster Card travel passes. A few months ago, many received a message informing them of a security breach at TfL. It noted that “certain customer data” had been accessed. That’s since escalated to thousands of accounts. Oyster Cards continue to work – and still do. Just don’t try applying for a new one any time soon.

All fares, please. Historic London Routemaster bus, when the only hack was to jump off the platform at the back and run for it (TfL)

It looks like yet another of those irksome hacks that afflict twenty-first-century life. Some commentators have mused that it’s the sort of thing that makes us all, briefly, yearn for bygone days. Back when ticket machines accepted ten pence pieces and dispensed cardboard tickets, which were rigorously checked by dystopianly identical agents at the barrier. Actually money and actual tickets – who would have thought.

Keep your fare records and claim

However, the truth is behind the scenes. In the art deco HQ at the 55 Broadway building (well, actually, a rather faceless office complex in the Olympic Park in Stratford since 2020), digital agents of the organisation have been toiling for over two months to restore systems, line of code by line of code.

Docklands Light Railway train at Canary Wharf in London — The sophisticated driverless Docklands Light Railway network was among the systems not compromised (Transport for London media image)

TfL has been understandably coy about the matter, but now, almost eight weeks after the attack first surfaced, the effects are beginning to bite. Some concession cards are not renewing, and some fare anomalies are presenting themselves. TfL has conceded that there are issues, but has reassured passengers that any problems will be addressed. In other words, they are preparing themselves for a winter of discontent, and a sheaf of claims for overcharged fares. The incident is, we believe, unrelated to the hack which affected Network Rail’s public wifi systems around a month ago.

Bedroom hacker arrested

For now, certain users, notably young travellers using age-restricted passes known as Zip Cards, have been told to continue using them, even if they’ve expired. However, that concession was due to end in three days, at the end of October. It’s expected that TfL will extend it again. Similarly, older London residents, who can purchase a concession card, have been instructed to continue, regardless. Their annual renewal (to verify their continued residency in London and, presumably, their continued avoidance of death) has been suspended.

An arrest was made about one month ago. Media in London reported that a 17-year-old, who spent rather too long indoors, had been taken into custody. The motive for the attack remains unclear, although the young male perpetrator – if the only person involved – has made no direct financial gain from the attack. Meanwhile, TfL statements put the cost at “millions”. It’s safe to assume that “millions” means “many millions indeed”.