Cyber Incident Victim: The Go-Ahead Group

On September 5, 2022, Newcastle-based transportation group Go-Ahead detected unauthorized activity on its IT systems, prompting it to disclose a cybersecurity incident to the London Stock Exchange the following day. The company, which operates London's largest bus fleet (over 2,400 vehicles) and employs more than 7,000 staff across multiple UK regions, immediately engaged external forensic specialists to investigate the breach. As a precautionary measure, Go-Ahead implemented containment protocols affecting portions of its IT infrastructure while activating incident response plans. The organization confirmed its UK and international rail services—including Great Northern, Thameslink, Gatwick Express, and Southern—remained fully operational without disruption. However, early assessments indicated potential operational impacts on bus services, particularly regarding digital systems managing bus scheduling and driver rostering across its networks in London, the South, South West, North West, East Anglia, East Yorkshire, and the North East.

The incident occurred during a critical transition period, as Go-Ahead was scheduled for acquisition by a Kinetic-Globalvia consortium in a £669m deal within weeks of the attack. While the company did not publicly attribute the incident to ransomware or disclose specific attacker methodologies, it acknowledged ongoing efforts to determine the breach's full scope and duration. Sky News reported that compromised scheduling systems threatened to disrupt bus operations through potential roster inaccessibility, though no service cancellations were confirmed at the time of disclosure. Historical context noted frequent targeting of mass transit systems by threat actors, with prior attacks affecting subway operators in Toronto, San Francisco, and New York. Go-Ahead maintained continuous impact assessments but did not release additional details regarding data compromise, attacker origins, or recovery timelines in its initial statement.