Ransomware attack on UK local railways shuts down self-service ticketing system

The £17 million self-service ticketing system purchased by Northern Railways was paralyzed due to a ransomware attack that took servers offline, affecting more than 420 stations;

Northern Railway believes that the supplier’s system is a security risk and has held it accountable.

British local public rail operator Northern Trains has suffered service outages and self-service ticket kiosks not functioning properly, in what officials said was a surprise attack by ransomware.

A spokesman for Northern Railways said: “We had a technical problem with our self-service ticket machines last week and all equipment had to be taken offline.”

The spokesperson noted, “Our suppliers are actively investigating and there are indications of a ransomware attack on ticket machine services. We worked with our suppliers to act swiftly, so the attack only affected the servers associated with the ticket machines. Customers and payment data were not affected.”

There are security risks in the self-service ticketing system

A representative of the Northern Railway questioned the supplier Flowbird Transport, suspecting that the ticketing system provided by the other party has hidden dangers, and stressed that “it was the other party’s system that was affected by the attack.”

Northern Railway signed a £17m contract in 2016 to help with Flowbird to help update its self-service ticketing facilities. According to the progress of the cooperation plan, as of May this year, the two parties have installed a total of 621 Flowbird devices in 420 stations.

A Northern Rail spokesperson added, “We are working hard to restore normal operation of the ticket machines. We apologise for any inconvenience caused by this incident; meanwhile, we advise customers to purchase tickets in advance using the Northern mobile app or website, if necessary. Please pick up your ticket from one of our designated ticket offices. Of course, you can also buy tickets directly at the ticket office.”

“Customers who have already purchased a ticket for a pick-up machine, or customers who have selected “Reimbursement Commitment” to settle bills in a unified manner, please log in to your reservation service and consult the conductor or the Northern Railway staff at the destination station for the handling method. “

In March 2020, Northern Rail Corporation took over the Northern Rail franchise from Arriva Rail North due to the poor operating performance of the original franchise holder, Arriva Rail North.

Currently actively repairing

The Northern Railroad’s public news page doesn’t mention anything about the ransomware attack, other than to attribute the current service outage to a vague “technical glitch.”

In a statement about the ransomware attack, a Flowbird spokesman said, “We recently discovered an attack that has impacted our TVM service for one customer (Northern Railway). This issue was first detected by a network monitoring system. , an initial investigation indicated that the service may have been affected by a cyberattack. We immediately initiated a major incident procedure to protect the rest of the network; our inspection indicated that no personal data was compromised by the incident. As a precaution, The TVM (ticket vending machine) network is now offline and we are working with our customers to restore service as soon as possible.”

Flowbird did not confirm whether it had reported the incident to government authorities.

Charlie Smith, a consulting solutions engineer at Barracuda Networks, said the attack undoubtedly set off “a resounding wake-up call” that businesses of any size and size could be under the radar of cybercriminals.

“Regularly reviewing and testing data governance practices is arguably a core prerequisite to ensuring that IT teams can easily restore business-critical software and safeguard the integrity of data systems. Considering that the summer holidays are currently underway, this kind of early warning is even more important. “

“After a ransomware attack, the only way to achieve rapid recovery is to delete all infected data and perform a full system and even VM-level recovery of each affected web server and IT system.”

The Links:   TBSHT702G21CKS BSM300GB120DLC_E3256 IGBTS

Author: Yoyokuo