The Transport for London Cyberattack and Personal Data Breaches

In early September 2024, Transport for London (TFL), the government body responsible for London’s transportation network, became victim to a cybersecurity attack.

Whilst the incident was ongoing, Londoners registered with TFL were informed that around 5,000 customers may have had their bank account numbers and sort codes accessed by hackers. In addition, TFL found that hackers may have also accessed customer names and contact details, including email and home addresses. TFL said that those affected would be contacted directly as a precautionary measure.

TFL also put in place additional measures to improve its security as a result of the incident—this includes an all-staff IT identity check and ensuring that all safety-critical systems and processes have been maintained.

Whilst it is a situation all organisations want to avoid, over 70% of medium and large businesses report having experienced some form of cyber security breach or attack in the last 12 months. Below, we explore what to do in the event of a cyberattack resulting in a data breach.

Steps after a Cyberattack

In the event of a cyberattack, one of the first steps is to log the facts of the incident and where possible, immediately recover the data.

Organisations are under a duty to determine whether there has been a personal data breach as a result of any attack. This includes the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” as defined by the UK GDPR.

Where a personal data breach has occurred, the organisation must undertake a formal risk assessment. This includes an assessment of the risk to individuals and the likelihood of such risks occurring. The UK GDPR places a duty on businesses to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach if it is likely to result in a risk to the rights and freedoms of individuals. This means a circumstance that may result in discrimination, damage to reputation, financial loss, or loss of confidentiality or any other significant economic or social disadvantage. Companies must notify individuals in circumstances where a breach has been identified as posing a high risk to their rights and freedoms, which is a higher standard than required for reporting to the ICO.

It is essential to keep a full record of any personal data breaches together with the steps taken to assess the risks. A risk assessment should ideally include appropriate logging to determine whether the organisation’s IT has been compromised, and to what extent. This in turn will assist in determining whether data has been exfiltrated from the impacted systems to the cyber-attacker, and what was type of data was exfiltrated.

Informing Individuals

TFL has said it would directly contact its individual customers who have had their data compromised. It is likely that their risk assessment deemed this a necessary step.

As previously noted, individuals must be informed immediately where a breach is likely to result in a high risk of adversely impacting the rights and freedoms of the individuals whose data has been accessed.

In assessing the risk to individuals, organisations should consider the rights and freedoms of individuals in their totality, which can include:

• The nature and sensitivity of the personal data that has been breached
• Whether any individuals have lost control or their personal data or lost their right of access to the data.
• To what extent the personal data was exposed to the cyber-attacker
• What means, motivation, and opportunities the cyber-attacker had to exfiltrate the data

Where it is determined that the breach is likely to adversely affect the personal data of individuals, those individuals must be given a summary of the incident, including what data has been breached and the measures taken to address the breach. The individuals should be given specific and clear advice on the steps they can take to mitigate any possible adverse impact, which typically can include implementing strong, unique passwords.

Key Learnings

• All organisations have a duty to report certain personal data breaches to the ICO within 72 hours of becoming aware of the breach.
• For breaches likely to lead to a high risk of an individuals’ rights and freedoms being adversely affected, those individuals must be informed without undue delay and advised on steps to mitigate their risks.
• Organisations should implement procedures for breach detection, investigation, and internal reporting. This will assist with making decisions on whether it is necessary to inform the ICO or the individuals, or both.
• It is essential to keep a record of any personal data breaches.