Cyber Incident Victim: Transport for London

On or around June 15, 2023, Transport for London (TfL) confirmed it had been affected by a mass cyber-attack. The incident was part of a wider global breach impacting numerous organizations that utilized a file transfer tool called MOVEit, developed by the US company Progress Software. TfL clarified that the breach did not originate from its own direct use of the MOVEit software but was instead the result of a compromise at one of its contractors. This incident is categorized as a supply-chain attack, where a vulnerability in a third-party service provider is exploited to gain access to the data of its clients.

The attackers, identified as being linked to the notorious Clop ransomware group believed to be based in Russia, exploited a security flaw within the MOVEit Transfer tool. This vulnerability allowed them to gain unauthorized access to the systems of organizations using the software to move sensitive files securely. The breach was first publicly disclosed when Progress Software announced that hackers had found a way to break into its product. The criminal group subsequently issued threats to begin publishing data from companies that did not initiate ransom negotiations with them by a specified Wednesday deadline.

For Transport for London, the data compromised in the incident did not include any passenger information or banking details. The breach was contained to data managed by the affected third-party contractor. Upon becoming aware of the issue, TfL took action to address the situation. The organization reported that the problem had been fixed and its relevant IT systems had been secured. As part of its response, TfL initiated a process to directly notify all individuals whose data was involved in the breach. Furthermore, TfL formally reported the incident to the UK's data protection authority, the Information Commissioner's Office (ICO), in compliance with regulatory obligations.

The impact of the wider MOVEit campaign was significant, affecting a large number of UK and international organizations. Other prominent UK victims included British Airways, Boots, the BBC, and the media regulator Ofcom. In many cases, these organizations were impacted through their payroll providers, such as Zellis, which used the MOVEit software and suffered a direct breach. This led to the theft of extensive personal data belonging to current and former employees across these companies. The incident underscored the systemic risk posed by vulnerabilities in widely used third-party software and service providers.

The response from TfL and other affected organizations followed a pattern of containment and notification. Actions taken generally included immediately discontinuing the use of the vulnerable MOVEit service, implementing recommended security patches and measures provided by the software vendor, launching internal investigations to determine the scope of data accessed, and notifying regulatory bodies and individuals whose personal information was compromised. The criminal group's history of carrying out its threats to publish stolen data meant there was a continued risk of exposed information appearing on darknet websites, though TfL's statement indicated the specific data taken from its contractor did not include the most sensitive financial details. The incident highlighted the challenges large organizations face in securing their supply chains and managing third-party risk.