The 2023 cyber attack on transport that went largely unnoticed

On 28th September 2023, a number of key transport websites went offline around Britain. As each site became unavailable, IT teams worked to understand what was happening to their infrastructure.

It quickly became clear they weren’t alone. The UK was being targeted in a co-ordinated Distributed Denial of Service attack – a cyber attack that involves a sustained flood of traffic designed to overwhelm a website’s servers and stop them from working.

At 0713 that morning, Passenger’s systems began alerting the team to abnormal activity on just two Passenger operator websites. As Principal Engineer, Andy Leon, wrote in the internal incident report that day, “At first the DDoS was causing web servers to hit maximum CPU. As the attack was blocked at the web servers, it was clear the attackers were saturating the load balancer, hitting their maximum of 250rps.”

“Even when increasing the load balancer infrastructure to handle 750rps, the attack easily saturated the load balancer. This is trivial to do for an attacker and there is no reason to believe that an attack couldn’t sustain 10 times as many requests.”

“Throughout this, our caching and other protections ensured that other systems didn’t have any issues. This meant that the issue was limited to the 2 websites.”

Over 30 Passenger-powered websites, delivering bus network information to riders in their respective regions, were completely unaffected by the DDoS attack. They’d been protected by a combination of security and engineering techniques built into Passenger’s ISO 27001 accredited product platform.

Websites running on the Passenger platform include a firewall, an extra layer of network security, which monitors traffic and then either allows or blocks access based on a set of rules. Occasionally, a firewall will challenge access requests it finds suspicious: we’ve all had to click on pictures of traffic lights to verify that we are, in fact, real-life human beings. This intervention is designed to block a bot that tries to access a website from a strange location or with a supernatural rate of clicks. The application firewall kicks into action and does its job with the key advantage of capacity, via a substantial network of servers, to withstand attacks that would overwhelm an individual website.

The two websites affected had been configured differently, without the same configuration as the rest, at the request of the company who owned the operator brands. So it was here that the team focused its incident response efforts.

Not only was the response swift and effective, it was comprehensive. Passenger’s Customer Success team and Help Desk were in regular communication with the affected operators, engineers worked round the clock to put the solution in place, and senior staff at Passenger were kept in the loop at all times. Passenger already had policy in place for what to do in the event of a DDoS attack, with teams well-prepared. Despite the clear sense of urgency, our response was calm and collected, which was reflected in the positive feedback from the affected customers.

As the cyber attack shows, it is imperative that security be taken seriously. Whether it be to steal data, spread propaganda or simply to cause politically-motivated disruption, hostile actors at home and abroad will try to expose and exploit weaknesses in electronic infrastructure. The idea of defending against cyberattacks may sound like something reserved for big banks or the Ministry of Defence, but it’s an important concern for every organisation, regardless of size or sector, and individuals too.

With the right partners, and an ongoing investment in skills, such attacks are neutralised – and significant disruption is adverted.