Network Rail confirms cyber attack on Wi-Fi systems at UK train stations

Interior of King's Cross train station in London. King's Cross is operated by Network Rail alongside several stations across London
(Image credit: Getty Images)

A host of railway stations across the UK have been impacted by a cyber attack that saw commuters met with messages on terror attacks.

The incident is believed to have affected the rail operator’s Wi-Fi at 19 stations in total, including London Euston, Liverpool Lime Street, Edinburgh Waverley, Glasgow Central, and more.

Commuters first encountered ominous messages after logging into Wi-Fi at affected stations, which displayed information pertaining to terrorist attacks in Europe and a message stating “we love you Europe”.

Wi-Fi services at affected stations are managed by a third-party service provider, Telent.

In a statement given to ITPro, a spokesperson for Network Rail confirmed the incident and that the operator is working with relevant authorities to investigate the issue.

“We are currently dealing with a cybersecurity incident affecting the public Wi-Fi at Network Rail’s managed stations,” the spokesperson said.

They added that “other organizations” have been targeted in the attack, but warned Telent “won’t reveal who” and advised the media to contact the provider.

In a statement issued publicly, Telent has since confirmed that it's working with Network Rail and relevant stakeholders to remediate the issue.

"Through investigations with Global Reach, the provider of the Wi-Fi landing page, it has been identified that an unauthorised change was made to the Network Rail landing page from a legitimate Global Reach administrator account and the matter is now subject to criminal investigations by the British Transport Police," the company said.

Telent further clarified that "no personal data has been affected".

What prompted the Network Rail attack?

The exact scale of the incident is yet to be established. However, Network Rail said that Wi-Fi services at affected stations were temporarily suspended, which Telent also confirmed.

Jake Moore, global cybersecurity advisor at ESET, said early indications show the attack could be an attempt by cyber criminals to probe security capabilities as opposed to relaying an outright threat.

“By defacing the Wi-Fi log on screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat,” he said.

RELATED WHITEPAPER

Moore added that in this particular case, the attackers have purposely targeted the “weakest link” by attacking a third-party provider. He further speculated that this could’ve been achieved via a phishing campaign.

“Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place,” he added. “However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.”

What stations are affected?

Stations impacted by the incident are spread across the UK, Affected London sites include King’s Cross, Paddington, Charing Cross, Clapham Junction, Cannon Street, London Bridge, Euston, Liverpool Street, Victoria, and Waterloo.

Stations elsewhere across the UK include:

  • Reading
  • Guildford
  • Manchester Piccadilly
  • Liverpool Lime Street
  • Birmingham New Street
  • Leeds
  • Bristol Temple Meads
  • Edinburgh Waverley
  • Glasgow Central
Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.