Dial-a-Ride, the free door-to-door transit service for disabled people operated across the capital by Transport for London (TfL), has suspended new booking requests as a result of an ongoing cyber attack against the wider TfL IT estate.
Computer Weekly understands that the continuing incident, the nature of which has not been disclosed by TfL beyond a brief media statement, has left Dial-a-Ride staff struggling with limited access to some of their IT systems and email.
As a result, the service is experiencing significant delays in responding to inbound requests, and as such TfL has taken the decision to suspend new bookings.
The Dial-a-Ride service is designed for people with a permanent or long-term disability that makes it impossible for them to use buses, the Underground, or surface rail, and provides flexible transport options for essential local travel within the 32 boroughs that make up Greater London. It operates a fleet of minibuses that function more like communal taxis than buses, with drivers trained to provide some assistance to passengers – such as helping them on or off the vehicle – if needed.
The wider cyber attack has not affected TfL’s ability to run regular services on London’s bus network, the Underground, or its other services, and the organisation has previously said that there is no evidence to suggest that passenger data it holds has been compromised.
However, the incident does seem to be impacting passenger logins for contactless and Oyster payment accounts, and some APIs used by third-parties, such as Citymapper.
The incident appears to have started on or around Monday 2 September, and TfL has been working alongside the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to mitigate the impact.
In a statement issued on Monday, TfL CTO Shashi Verma said: “We have introduced a number of measures to our internal systems to deal with an ongoing cyber security incident. The security of our systems and customer data is very important to us and we will continue to assess the situation throughout and after the incident.”
Tight-lipped response
TfL has remained tight-lipped about the precise nature of the incident, although The Register earlier reported that a network appliance vulnerability may have been the initial access point that precipitated the attack.
TfL is also yet to comment on the suspension of Dial-a-Ride bookings. However, its admission that staff are unable to access some systems – coupled with evidence of restricted network availability uncovered by external researcher Kevin Beaumont – would suggest that the organisation is attempting to contain a ransomware attack.
Mark Robertson, chief research officer at AcumenCyber, a managed security services provider (MSSP), said: “Employees being locked out of systems is often the number one consequence in ransomware attacks. However, until TfL provides a more detailed update, we can’t say for sure what incident the transport network is facing, or who carried it out.
“Fortunately, all Tube services seem to be running as normal, which does indicate TfL has been able to prevent the incident from having an operational impact. Otherwise, the whole of the capital could have been brought to a standstill. This also suggests that TfL had already prioritised incident response planning to help the organisation prepare for cyber attacks and limit their impact,” he added.