Northern Train's ticketing system out to lunch as ransomware attack shuts down servers

Publicly owned rail operator Northern Trains has an excuse somewhat more technical than "leaves on the line" for its latest service disruption: a ransomware attack that has left its self-service ticketing booths out for the count.

"Last week we experienced technical difficulties with our self-service ticket machines, which meant all have had to be taken offline," a spokesperson for Northern Trains confirmed to the The Register.

"This is the subject of an ongoing investigation with our supplier, but indications are that the ticket machine service has been subject to a ransomware cyberattack. Working with the supplier, we took swift action and the incident has only affected the servers which operate the ticket machines. Customer and payment data has not been compromised."

A representative for Northern Trains referred further questions on to Flowbird Transport, which provides the ticketing system in question, telling us "it's their system that's been affected."

Northern Trains partnered with Flowbird in a £17m-and-counting scheme to update its self-service ticketing facilities in 2016. Through that partnership the pair reported installing 621 of Flowbird's machines at 420 stations as of May this year.

"We are working to restore normal operation to our ticket machines as soon as possible," Northern Trains' spokesperson continued. "We are sorry for any inconvenience this incident causes and, in the meantime, are advising customers to either use Northern's mobile app or website to purchase tickets in advance and, where necessary, to collect those from one of our ticket offices. Of course, those offices can also be used to buy tickets.

• Upside down, you turn me, you're giving bork instinctively: Firefox flips as a train connection is missed
• Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale
• What made a super high-tech home in Victorian England? Hydroelectric witchery, for starters
• Free WiFi coming to UK trains ... in two years

"Customers who have already bought tickets to be collected at a machine, or who would normally use 'promise to pay' slips, should board their booked service and either speak to the conductor or to Northern staff at their destination station."

The publicly owned Northern Trains took over the operation of the Northern rail franchise from Arriva Rail North in March last year, after poor performance from the previous franchise holder gave the government cause to step in.

Northern Trains' public-facing news page failed to mention any ransomware attack but blamed the ongoing outage on unspecified "technical difficulties."

"An issue was recently identified which impacted our TVM services for one customer (Northern)," a Flowbird spokesperson confirmed in a statement on the ransomware attack. "The issue was first identified through cyber monitoring systems and our initial investigations indicated that the service may have been subject to a cyber-attack.

"We immediately instigated our major incident procedure in order to protect other parts of the network and our checks have shown there has been no compromise to any personal data. The TVM [Ticket Vending Machine] network has been taken offline as a precautionary measure and we are working with our customer in order to restore services as soon as possible."

Flowbird did not confirm whether it had alerted authorities to the breach.

Charlie Smith, consulting solutions engineer at Barracuda Networks said the latest incident is a "stark reminder" that businesses of all shapes and sizes can fall under the watchful eye of infosec criminals.

"[R]egularly reviewing and testing your data regulation practices is essential to ensure all IT staff are comfortable in running a full system recovery for software and data that is critical to a business functioning, especially during the summer months when many people are taking holiday.

“The only way to recover quickly and easily from a ransomware attack is to remove all infected data and run full system and virtual machine level recoveries of the web servers and IT systems which have been exploited." ®