TfL cyber-attack: teenager from Walsall arrested in connection with data breach

Police have arrested a teenager from Walsall in connection with the cyber-attack on Transport for London , as TfL said it had discovered that thousands of customers’ details had potentially been breached.

The National Crime Agency (NCA) said a 17-year-old male was detained on suspicion of offences under the Computer Misuse Act 1990, in relation to the attack launched on TfL’s systems on 1 September. The teenager was arrested on Thursday last week and released on bail after questioning by NCA officers.

The NCA deputy director, Paul Foster, the head of the agency’s cybercrime unit, said: “We have been working at pace to support Transport for London after a cyber-attack on their network, and to identify the criminal actors responsible.

“Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.

“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooperation with our investigation, which remains ongoing.”

TfL said it was contacting about 5,000 customers as a precaution to warn that their email and bank account details could have been accessed. It is understood to relate to those who had applied for refunds on journeys made using Oyster cards.

TfL said the cyber-attack would also hold up the rollout of contactless travel to dozens of railway stations around south-east England, which had been due to allow commuters to travel ticket-free into London from 22 September.

Shashi Verma, TfL’s chief technology officer, said a thorough investigation was continuing in tandem with the NCA and the National Cyber Security Centre (NCSC).

Verma added: “Although there has been very little impact on our customers so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details. Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers.

Related: Transport for London cuts data feeds to travel apps amid cyber-attack

“We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.”

All TfL staff will have to report to to its headquarters in Southwark to reset their digital identities for email access. TfL said the all-staff IT identity check would be done by appointment in the coming week and that it did not expect any significant impact to customer journeys.

Verma said the measures meant it was now not possible for TfL to carry out planned system changes to allow another 47 rail stations to operate pay-as-you-go contactless travel later this month, and that it was working with government and the rail industry to reschedule.

The attack has affected live data feeds serving travel apps such as Citymapper and TfL Go, but public transport services have been running as normal and not directly affected. Many TfL office staff have been asked to work from home.

TfL has stopped customers accessing information including journey history and photocard registration as part of measures to tackle the breach. It said no ransom demand had been made in the attack.

The NCSC said it had worked closely with TfL and the NCA since the start of the incident. Jonathon Ellison, the NCSC’s director for national resilience, said it urged “anyone who thinks they may have been the victim of a data breach to be especially vigilant against suspicious emails, phone calls or text messages and to follow the steps set out in our data breaches guidance ”.