Cyber Incident Victim: Transport for London

On or around May 25, 2023, Transport for London (TfL) was impacted by a cyber attack. The incident was part of a wider, global campaign conducted by a prolific Russian cybercrime gang known as Clop. The group did not directly breach TfL's own IT systems but instead targeted a third-party contractor utilized by the transport authority. This contractor was responsible for managing data related to the Ultra Low Emission Zone (Ulez), the London Congestion Charge zone, and parking offences. The attack vector exploited a vulnerability in MOVEit, a data transfer software used by the contractor, Zellis, a payroll and HR management company.

The data breach resulted in the theft of personal information belonging to approximately 13,000 drivers. Initially, a miscommunication from TfL's press office suggested 13,000 staff members were affected, but this was later corrected. The compromised driver data was stored by the contractor on behalf of TfL. The stolen information was reported to include sensitive personal details such as bank account information, National Insurance numbers, and home addresses. This data theft exposed the affected individuals to potential identity theft and financial fraud.

The incident was part of a larger exploitation by the Clop gang, which targeted a zero-day vulnerability in the MOVEit file transfer tool at the end of May. Zellis, which used this software, was compromised, leading to data being stolen from eight of its UK customers. Other major organizations affected through the Zellis breach included British Airways, the BBC, Aer Lingus, and Boots. However, TfL and other organizations, such as the regulator Ofcom, were also directly targeted by Clop in separate attacks that were distinct from the Zellis compromise.

Upon discovery of the breach, TfL took action to address the issue. The transport authority stated that the problem had been fixed and that the affected IT systems had been secured. TfL initiated a process of directly writing to all 13,000 impacted drivers to inform them that their data had been stolen. The organization also formally reported the incident to the Information Commissioner’s Office (ICO), the UK's independent authority upholding data privacy rights, as is required by data protection regulations.

The wider response to the campaign involved national cybersecurity authorities. The National Cyber Security Centre (NCSC), the public-facing arm of GCHQ, contacted affected British companies to provide guidance and ensure their servers were secured against the ongoing threat. Some companies reported that these official warnings were issued early enough for them to close the specific loophole exploited by the hackers, potentially preventing further compromises.

The Clop gang imposed a ransom deadline on the companies it had victimized. The gang posted a note on the dark web urging the hacked organizations to contact them to negotiate a payment. The typical ransom demands were reported to be in the range of millions or tens of millions of pounds. The gang's established modus operandi was to follow through on its threats to publish the stolen sensitive data on the dark web if the ransom was not paid by the specified deadline.

The financial implications of such data breaches are significant. Government statistics cited from the previous year indicated that 40 percent of all UK businesses were affected by cyber attacks, with the average cost being £19,400. For a small business, the cost of a data breach was estimated to start at around £11,000. For larger organizations, the costs could escalate into the millions due to ransom payouts, regulatory fines, and extensive cleanup and remediation efforts. Under UK data protection laws, companies that suffer a breach can be fined up to 4 percent of their annual global turnover. For Zellis, this potential penalty was reported to be approximately £7 million.

The Clop gang has a long history of cyber criminal activity, with experts noting its members have been involved in such operations for nearly a decade. The Russia-based group specializes in data theft and extortion, using the dark web to pressure its victims. Prior attacks attributed to Clop have targeted a wide array of major global entities, including Hitachi, the Federal Reserve Bank of New Zealand, US-based Community Health Systems, and the Swiss pharmaceutical company Galderma. The attack on TfL and its contractor is consistent with this pattern of targeting organizations that hold large volumes of valuable personal and financial data.

The primary impact of the incident on TfL was the compromise of its contracted service provider and the subsequent data breach of its drivers' information. The operational continuity of TfL's congestion charge and Ulez systems did not appear to be directly disrupted by the attack, as the focus was on data exfiltration rather than system disruption. The reputational impact and the potential for regulatory scrutiny from the ICO remained ongoing concerns following the breach notification. The incident highlighted the cybersecurity risks associated with third-party suppliers and the reliance on common software platforms that, when compromised, can have a cascading effect across multiple organizations.