Although public transport services, including the London Underground and buses, continue to operate normally, the decision to restrict data has affected real-time travel updates on travel apps like Citymapper and TfL Go as well as the TfL website.
As a result, key services such as live departure times for Tube trains and traffic updates from TfL JamCams have been suspended.
Despite the restrictions, platform information displays for passengers at Tube stations, and bus countdown services remain fully operational.
In a statement, TfL said that while the nature of the cyberattack is still under investigation, there is no indication that it is a ransomware incident. No ransom demands have been made, and there has been no evidence so far that customer data has been compromised.
“The security of our systems and customer data is very important to us. We continually monitor who is accessing our systems to ensure only those authorised can gain access,” Shashi Verma, TfL’s Chief Technology Officer, said.
Verma added that TfL took immediate action after identifying “suspicious activity” on Sunday, 2nd September. Since then, the organisation has been working closely with both the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to manage the attack.
Last week, both the NCA and NCSC confirmed their involvement in the investigation, stating that they were working with TfL to respond to the attack.
Alongside the limitations on live travel data, TfL has also temporarily suspended online services for applications related to concessionary photocards, such as youth Zip cards and 60+ passes.
Additionally, registered users of contactless payment systems are unable to access their journey history for the time being.
The booking system for Dial a Ride was temporarily unavailable early last week.
While pre-existing bookings were fulfilled, essential bookings can now be made by phone. TfL says it is working to restore full service in the coming days.
Passengers were first notified of the cyberattack last Monday. The incident has reportedly impacted TfL’s main corporate headquarters in Southwark, with employees being encouraged to work remotely where possible, though some staff members remain at the office.
While TfL claims its security measures are in place, the organisation has yet to determine the full scope of the cyberattack.
Andrew Brown, MD at software developer Propel Tech, highlighted the vulnerabilities exposed by the attack and the need for further action.
He pointed out that the decision to ask employees to work remotely indicates that “there is still a lot of work to be done.”
However, Shashi Verma reassured the public, stating, “We will continue to keep our customers and our staff updated on the incident as part of this ongoing work and thank them for their patience as we respond to this incident.”