Northern Trains ticket systems hit by suspected ransomware attack

Northern Trains, the UK government-run train operator, has shut down its ticket machines following a suspected ransomware attack, marking the latest in a string of highly disruptive hacks by cyber criminals. 

Northern, one of only a handful of train services in the UK fully run by the government, said on Monday that its self-service ticket machines had been hit by technical difficulties last week, forcing them all to be taken offline. 

“This is the subject of an ongoing investigation with our supplier, but indications are that the ticket machine service has been subject to a ransomware cyber attack,” the group said. 

It added that customer and payment data had not been compromised and that the attack had been limited to its servers operating the digital ticket booths. 

Ransomware — where hackers seize an organisation’s data or computer systems only to release them if a ransom is paid — has proliferated in recent years, becoming even more common during the pandemic as the shift to remote working has left employees more dependent on the web and more vulnerable to attacks. 

The Northern incident is the latest in a rash of attacks in 2021 that have disrupted critical infrastructure and public services, prompting calls for governments to take bolder action. Recent victims include US fuel group Colonial Pipeline, which was forced to close temporarily causing fuel shortages, JBS, the world’s largest meat processor, and the Irish health service. 

Many attacks have been blamed on Russia-based cartels. But on Monday, the White House accused Chinese government-backed hackers of a ransomware attack in which they demanded millions of dollars from an unnamed US company.

Northern did not indicate which ransomware gang might have been responsible for its suspected attack. 

The franchise, which operates services across large parts of northern England from Staffordshire to Northumberland, was taken over by the Department for Transport at the start of last year following a period of poor performance before the coronavirus pandemic. 

In May this year, Northern announced it had installed more than 600 new ticket machines across more than 409 stations on its network as part of a £17m upgrade with a supplier called Flowbird. 

It is unclear whether the cyber attackers hit Northern directly or whether they first compromised Flowbird in order to spread ransomware to its client — what is known as a supply-chain hack. Flowbird did not respond to a request for comment. 

Northern added that tickets were still available online or via ticket offices at stations. “We are working to restore normal operation to our ticket machines as soon as possible. We are sorry for any inconvenience this incident causes”. The attack was first reported by the BBC.