​Transport for London (TfL) says that all staff (roughly 30,000 employees) must attend in-person appointments to verify their identities and reset passwords following a cybersecurity incident disclosed almost two weeks ago.

“Resetting 30,000 colleague passwords in person will take some time and we will be prioritising the allocation of appointments centrally,” TfL said on the TfL employee hub.

“This means everyone will be required to attend an appointment at a specified TfL location to reset their password and be verified in-person for access to TfL applications and data,” it added.

The same approach was taken by DICK’S Sporting Goods’ IT staff after an August cyberattack, manually validating employees’ identities on camera before allowing them to regain access to internal systems.

The London public transportation agency first informed the public on September 2 about the cybersecurity breach, assuring customers that there was no evidence of compromised data.

Although the attack did not affect London’s transportation services, it disrupted internal systems, online services, and the agency’s ability to process refunds. As of last Friday, TfL staff continued to face outages and system disruptions, impacting their ability to respond to customer requests and issue refunds for contactless journeys.

This week, an update on TfL’s incident status page revealed that customer data, including names, contact details, and addresses, had been compromised during the attack.

“Some customers may ask questions about the security of our network and their data. First and foremost, we must reassure that our network is safe,” the transport agency added on the TfL employee hub. “Secondly, we’re contacting customers directly about steps being taken regarding their data.”

TfL also confirmed that attackers accessed employee and customer directory data, including email addresses, job titles, and employee numbers. However, it said there was no evidence that other sensitive data, such as banking details, dates of birth, or home addresses, had been compromised.

Suspect arrested by UK’s National Crime Agency

On Thursday, the United Kingdom’s National Crime Agency arrested a 17-year-old Walsall teenager suspected of being connected to the cyberattack on the city’s public transportation agency. The teenager was later released on bail after being questioned by NCA officers.

The NCA also arrested a 17-year-old male from Walsall in July for a possible link to the MGM Resorts ransomware attack. This attack was attributed to the Scattered Spider hacking collective, which acted as an affiliate of the BlackCat ransomware gang.

BleepingComputer asked the NCA if the same individual was arrested again in September but has not yet received a response.

TfL serves more than 8.4 million Londoners through its surface, underground, and Crossrail (jointly managed with the UK’s Transport Department) transport systems.

In May 2023, the agency experienced another data breach when the Clop ransomware gang stole data belonging to approximately 13,000 customers from one of its suppliers’ MOVEit managed file transfer (MFT) servers.