Dial-a-Ride, the free door-to-door transit service for disabled people operated across the capital by Transport for London (TfL), was forced to temporarily suspend new booking requests for a time as a result of an ongoing cyber attack against the wider TfL IT estate.
It is understood that the continuing incident, the nature of which has not been disclosed by TfL beyond a brief media statement, left Dial-a-Ride staff struggling with limited access to some of their IT systems and email. As a result, the service began to experience significant delays in responding to inbound requests, and TfL took the decision to suspend new bookings.
A TfL spokesperson confirmed that the service had had to be suspended, but told Computer Weekly that things were now up and running again.
“As a result of the internal measures we are taking as part of the cyber security incident, the booking system for Dial a Ride was temporarily down, although pre-existing bookings were still fulfilled. We are now able to take essential bookings and hope the situation will further improve as the day goes on,” they said.
The Dial-a-Ride service is designed for people with a permanent or long-term disability that makes it impossible for them to use buses, the Underground, or surface rail, and provides flexible transport options for essential local travel within the 32 boroughs that make up Greater London. It operates a fleet of minibuses that function more like communal taxis than buses, with drivers trained to provide some assistance to passengers – such as helping them on or off the vehicle – if needed.
The wider cyber attack has not affected TfL’s ability to run regular services on London’s bus network, the Underground, or its other services, and the organisation has previously said that there is no evidence to suggest that passenger data it holds has been compromised.
However, the incident does seem to be impacting passenger logins for contactless and Oyster payment accounts, and some APIs used by third-parties, such as Citymapper.
The incident appears to have started on or around Monday 2 September, and TfL has been working alongside the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to mitigate the impact.
In a statement issued on Monday, TfL CTO Shashi Verma said: “We have introduced a number of measures to our internal systems to deal with an ongoing cyber security incident. The security of our systems and customer data is very important to us and we will continue to assess the situation throughout and after the incident.”
Tight-lipped response
TfL has remained tight-lipped about the precise nature of the incident, although The Register earlier reported that a network appliance vulnerability may have been the initial access point that precipitated the attack.
TfL’s admission that staff are unable to access some systems – coupled with evidence of restricted network availability uncovered by external researcher Kevin Beaumont – would suggest that the organisation is attempting to contain a ransomware attack.
Mark Robertson, chief research officer at AcumenCyber, a managed security services provider (MSSP), said: “Employees being locked out of systems is often the number one consequence in ransomware attacks. However, until TfL provides a more detailed update, we can’t say for sure what incident the transport network is facing, or who carried it out.
“Fortunately, all Tube services seem to be running as normal, which does indicate TfL has been able to prevent the incident from having an operational impact. Otherwise, the whole of the capital could have been brought to a standstill. This also suggests that TfL had already prioritised incident response planning to help the organisation prepare for cyber attacks and limit their impact,” he added.
