Cyber Incident Victim: Northern Rail

On or around July 19, 2021, Northern Rail experienced a ransomware cyberattack targeting its self-service touchscreen ticket machines, forcing the company to take all affected machines offline across its network in northern England. The attack disrupted ticket sales at approximately 420 stations where 600 Northern-operated machines had been installed just two months prior. Northern Rail immediately advised customers to purchase tickets through alternative channels including its mobile application, website, or physical ticket offices while the machines remained inoperable. A company spokesperson confirmed technical difficulties prompted an investigation with their supplier Flowbird, which identified the ransomware incident as the cause. Both Northern Rail and Flowbird publicly stated no evidence indicated compromise of customer information or payment data during the attack.

The ransomware incident caused sustained operational disruption with no publicly disclosed restoration timeline for the ticket machines as of the July 20, 2021 report. Northern Rail acknowledged the inconvenience to passengers and expressed commitment to restoring normal operations but provided no technical details about containment measures or decryption efforts. Neither organization confirmed whether attackers made contact or issued ransom demands. The attack occurred amid heightened global ransomware threats in 2021, though no attribution to specific threat actors was disclosed. Northern Rail's response centered on coordinating with Flowbird for system recovery while maintaining alternative sales channels to minimize passenger impact during the outage.