The news that TfL had suffered a cyber attack barely made headlines. I read it, but didn't think it would affect me, as they said it wasn't going to affect passengers.
Until, of course, my Oyster card ran low, and I needed to top it up online. And found I couldn't.
Transport chiefs in London are restricting access to a photocard portal for Oyster 60+ and other travel concessions after a cyber attack. The incident, which first became public on Monday evening, has largely not affected people who use the transport system in the capital.
But the transport bosses have now decided to temporarily restrict access to the photocard portal, which allows customers to apply for travel concessions, including the Zip Photocard, 16+ and 18+ Photocard and the 60+ Oyster photocard, as the investigation continues into the cyber targeting.
It also prevents people wanting to top up their balance online from doing so. As I found out. The only way to do it is at a shop. They didn't exactly advertise this, I had to find out from Twitter.
In an updated statement, Shashi Verma, TfL’s Chief Technology Officer, said: “There remains no impact to our public transport services and no evidence that any customer data has been compromised.
“However, as part of the measures implemented to deal with the ongoing cyber security incident, we have temporarily restricted access to customer journey history for pay as you go contactless customers, as well as limited access to some live travel data via apps, TfL Go and the TfL website, including next train information and the TfL JamCams.
“In addition, we have made the decision to temporarily restrict access to the photocard portal, which allows customers to apply for travel concessions, including the Zip Photocard, 16+ and 18+ Photocard and the 60+ Oyster photocard.
“We apologise for any inconvenience that these temporary changes will cause to some customers and are working to bring these back online as quickly as possible.”
All that money the London Mayor gives TfL and where does it go? Not on cyber security, it seems.
And on Friday morning I got an email. Ooh, I thought, they've fixed it! That is, until I opened it:
So much for 'no evidence that any customer data has been compromised' Shashi. Looks like you found some after all. Good job you kept looking, eh?
When you get hit by an attack it is rare that you know exactly how it happened and thus know what has been compromised. So they respond to the customers with the CYA statement but they can't do that with the authorities. They will hit them big time if they lie. Now they can say that investigations are underway and restrict access to certain areas that may be vulnerable as a precaution as that makes sense. However until they identify what happened they cannot be sure what has been compromised and what has not. The bad guys may even have put a backdoor in and be siphoning data out as the investigation is taking place or simply waiting for it to die down and access the data at their leisure. Computer security is complex and the bad guys are smart. We play catchup once they show what the problem is but that means they get first dibs.
ReplyDeleteThis again show how bad an idea a government run central currency is going to be. Can people needing transport get it. If I remember you need a card for any journeys via bus. Now you have to go somewhere to top up. So much for the convenience of the card.
They certainly do need to upgrade their security if a seventeen year old boy can breach it.
ReplyDeletehttps://www.bbc.com/news/articles/c4gqg2elkj4o.amp