Publicly owned rail operator Northern Trains has an excuse somewhat more technical than “leaves on the line” for its latest service disruption: a ransomware attack that has left its self-service ticketing booths out for the count.

“Last week we experienced technical difficulties with our self-service ticket machines, which meant all have had to be taken offline,” a spokesperson for Northern Trains confirmed to the The Register.

“This is the subject of an ongoing investigation with our supplier, but indications are that the ticket machine service has been subject to a ransomware cyberattack. Working with the supplier, we took swift action and the incident has only affected the servers which operate the ticket machines. Customer and payment data has not been compromised.”

A representative for Northern Trains referred further questions on to Flowbird Transport, which provides the ticketing system in question, telling us “it’s their system that’s been affected.”

Northern Trains partnered with Flowbird in a £17m-and-counting scheme to update its self-service ticketing facilities in 2016. Through that partnership the pair reported installing 621 of Flowbird’s machines at 420 stations as of May this year.

“We are working to restore normal operation to our ticket machines as soon as possible,” Northern Trains’ spokesperson continued. “We are sorry for any inconvenience this incident causes and, in the meantime, are advising customers to either use Northern’s mobile app or website to purchase tickets in advance and, where necessary, to collect those from one of our ticket offices. Of course, those offices can also be used to buy tickets.

“Customers who have already bought tickets to be collected at a machine, or who would normally use ‘promise to pay’ slips, should board their booked service and either speak to the conductor or to Northern staff at their destination station.”

The publicly owned Northern Trains took over the operation of the Northern rail franchise from Arriva Rail North in March last year, after poor performance from the previous franchise holder gave the government cause to step in.

Northern Trains’ public-facing news page failed to mention any ransomware attack but blamed the ongoing outage on unspecified “technical difficulties.”

“An issue was recently identified which impacted our TVM services for one customer (Northern),” a Flowbird spokesperson confirmed in a statement on the ransomware attack. “The issue was first identified through cyber monitoring systems and our initial investigations indicated that the service may have been subject to a cyber-attack.

“We immediately instigated our major incident procedure in order to protect other parts of the network and our checks have shown there has been no compromise to any personal data. The TVM [Ticket Vending Machine] network has been taken offline as a precautionary measure and we are working with our customer in order to restore services as soon as possible.”

Flowbird did not confirm whether it had alerted authorities to the breach. ®