Transport for London (TfL) is currently dealing with a cyber attack that has targeted its computer systems. Sources within TfL have revealed that staff have been encouraged to work from home where possible, as the attack primarily affects the transport provider’s back-office systems at its corporate headquarters. TfL is collaborating closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident.
Shashi Verma, TfL’s Chief Technology Officer, said:
“We have implemented several measures to address an ongoing cybersecurity incident within our internal systems. The security of our systems and customer data is of utmost importance, and we are continuously assessing the situation throughout this incident.”
Mr Verma emphasised that, although a complete assessment is still underway, there is no current evidence of customer data being compromised. If it turns out that any personal data has been compromised, whether employee or customer data, of course TfL will need to consider reporting the matter to the Information Commissioner’s Office (ICO) as a personal data breach under Article 33 of the UK GDPR. As a statutory body, failure to do so could lead to TfL being fined up to £8.7 million. If the ICO investigates and finds a breach of the DP Principles (e.g. security) this could rise to £17.5 million.
Back in the day major cyber incidents involving personal data were sure to be the subject of an ICO fine. In 2018, British Airways and Marriott International were fined £20 million and £18.4 million respectively. More recently the ICO has issued more reprimands in line with its policy on public sector enforcement. It recently issued a reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn.
This is not the first cyber attack on a major public service provider in the capital. Last month the ICO announced that it had issued a GDPR Notice of Intent of £6.09 million to an NHS IT supplier. This comes after its findings that the company failed to adequately protect the personal data of 82,946 individuals in breach of Article 32 of the UK GDPR. As a key IT and software provider for the NHS and other healthcare organisations across the country, Advanced often holds role of Data Processor for many of its clients. The breach in question occurred during a ransomware attack in August 2022. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The compromised data included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.
