The National Crime Agency (NCA) has made a significant development in its investigation of a cyber security incident involving Transport for London (TfL). A 17-year-old male was arrested on 5 September under suspicion of violating the Computer Misuse Act in connection with the cyber attack on TfL’s network, which began on 1 September. The teenager was questioned by NCA officers and subsequently released on bail while the investigation continues.
Paul Foster, Deputy Director and head of the NCA’s National Cyber Crime Unit, highlighted the urgency and importance of the investigation. He emphasized the disruption caused by the attack on public infrastructure and expressed gratitude for TfL’s swift response and ongoing cooperation, which has facilitated the investigation. Foster noted that identifying the perpetrators and addressing the breach has been a priority.
NCA Arrests Teen in Cyber Attack on Transport for London, Delays Contactless Payment Expansion
Initially, TfL reported experiencing an “ongoing cyber security incident” on 1 September and had to temporarily suspend its Dial-a-Ride service for disabled individuals. Although early reports indicated no evidence of compromised customer data, further investigation has revealed that some data was indeed accessed or lost during the attack. TfL has since referred itself to the Information Commissioner’s Office (ICO) due to the data breach.
TfL’s Chief Technology Officer, Shashi Verma, disclosed that the breach involved customer names, contact details, and potentially some Oyster card refund data, which may include bank account information for a limited number of customers. TfL plans to notify affected individuals directly and provide support. Verma also assured that TfL is working with partners and the ICO to address the situation and will offer updates as the investigation progresses.
In response to the cyber attack, TfL has implemented new IT security measures to protect critical systems. However, this has resulted in a delay in the planned roll-out of contactless payment services to 47 additional stations outside London. Verma indicated that the security enhancements have made it impossible to meet the initial schedule of expanding contactless payment options by 22 September.
