Bus and rail operator Go-Ahead Group confirms "cyber security incident"

a Go-Ahead bus driving over Waterloo Bridge with skyscrapers in the background
(Image credit: Go-Ahead Group)

UK travel company Go-Ahead Group has confirmed that its operations have been disrupted due to a “cyber incident”, threatening rush hour commuter travel.

Go-Ahead Group operates regional public transport services in the form of buses and is the Capital’s largest bus operator, managing routes on behalf of Transport for London (TfL).

According to wider reports, it’s believed that bus and driver rosters are affected by the incident and an official statement suggested this, with the Group only confirming that “that there is no impact on UK or international rail services which are operating normally”.

“Go-Ahead announces that it is currently managing a cyber security incident after detecting unauthorised activity on its network on Monday 5 September 2022,” the company said.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans.”

Go-Ahead also said the relevant regulators had also been notified, including the UK’s Information Commissioner's Office (ICO), and that it will continue to assess the impact on its operations, providing updates via social media channels.

The company has not indicated the nature of the attack and did not reply to IT Pro’s request for further details.


Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities


It told The Guardian that it was working with IBM to restore the affected parts of its systems from backups and return to normal service.

In addition to serving London’s bus routes, Go-Ahead also runs bus services throughout the south of England, in the North East and North West, comprising 11% of the nation’s bus market, by its figures.

It also operates several rail services such as Great Northern, Thameslink, Gatwick Express, and Southern - part of the larger Govia Thameslink Railway network - representing 30% of all UK rail services.

Outside of the UK, Go-Ahead operates rail services in Norway and Germany, as well as bus routes in Singapore, Sweden, and Ireland. It’s currently unclear if the bus services outside of the UK are affected by the incident.

The perceived threat to critical services such as transport and energy has increased in recent times and since the Colonial Pipeline attack in the US last year.

In response, the UK government said it would update the Network and Information Systems (NIS) regulations that govern such services to ensure they are all appropriately protected from a cyber security perspective.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.