Nineteen major railway stations across Britain including ten in London have been hit by a major cyber attack impacting their public wi-fi systems for passengers.
Network Rail confirmed London Euston, Manchester Piccadilly, Liverpool Lime Street, Birmingham New Street and Glasgow Central were among those impacted.
British Transport Police launched an investigation after travellers logging into the wi-fi at stations reported seeing a message about terror attacks in Europe.
Wi-fi at the affected stations is controlled by a third-party provider called Telent, and MailOnline understands other organisations have also been impacted by the attack.
The wi-fi landing page following the hack said ‘We love you, Europe’ and contained information about terror attacks, according to users posting on social media.
The attack has been compared to the BBC‘s new drama Nightsleeper which features a sleeper train travelling from Glasgow to London which is hacked and hijacked.
The wifi webpage after the hack said ‘We love you, Europe’ and contained information about terror attacks, which has been obscured by MailOnline in the above image
The wi-fi was still down this morning at the stations, which also include Bristol Temple Meads, Edinburgh Waverley, Leeds, Guildford and Reading.
The ten London stations affected were Cannon Street, Charing Cross, Clapham Junction, Euston, King’s Cross, Liverpool Street, London Bridge, Paddington, Victoria and Waterloo.
According to its website, Telent helps design, build, support and manage some of the UK’s ‘critical digital infrastructure’, and its other customers include Openreach, Transport for London (TfL), National Highways, the Maritime and Coastguard Agency and the NHS Ambulance Radio Programme.
It has not yet been confirmed if any of Telent’s other customers have been impacted by the incident.
Among the cyber security experts commenting on the attack today was Alex Richards, director of Liberate IT Services, who told MailOnline: ‘This will have been a malicious actor directly targeting the public wi-fi for propaganda purposes or to promote an agenda.
‘Public wi-fi is always isolated and firewalled from any other network so there will be no risk to data held or processed by Network Rail themselves. Public wi-fi is the easiest target due to its accessibility, and the most visible when tampered with.
‘The only potential danger is that anyone else using the public wi-fi at the time could have had their data snooped. This is where information being sent from/to your device on the public wi-fi is inspected and listened to.
‘This is why it is important to only use encrypted services on public wi-fi, or a VPN service using encryption. Better yet, stay clear of public wi-fi and use your 4G or 5G data service.’
The cyber attack has been compared to the BBC’s new drama Nightsleeper, starring Joe Cole
James Bore, director at security and technology consultancy Bores Group, also told MailOnline: ‘This sort of attack largely isn’t a threat to users of the wi-fi as it appears to be an activist attack designed to spread a message.
‘From the details available it’s likely the provider of the wi-fi system was the one compromised, and a lot more of their clients than Network Rail will have been affected – however with the busy stations they were noticed first.
‘This sort of attack involves changing the home page – called the captive portal – to another page, and it can be used to steal credentials but in this case was used to spread a message.
‘Honestly, the protection against this sort of attack is not to use public wi-fi – when you do use it you are placing trust in the provider not to do this sort of thing, and while it’s rare that these attacks happen there is nothing individuals can do to prevent them.’
Meanwhile Adrianus Warmenhoven, cyber security expert at NordVPN, said: ‘Cyber attacks at some of the UK’s busiest railway stations are a stark reminder that public wi-fi can be a playground for cybercriminals.
‘Unsecured public networks in busy areas are easy pickings for hackers and the incident highlights the need for heightened vigilance when using these services — which can be more vulnerable to cyber attacks.’
He added that the firm’s research has found Britons are among the most vulnerable in the world for public wi-fi attacks, given more than two fifths are willing to use password-free services on their devices.
Mr Warmenhoven continued: ‘To protect yourself when using public wi-fi, avoid using sensitive accounts like online banking or shopping sites that require your personal information.
‘Always ensure you are connecting to the correct network, as hackers have been known to create fake wi-fi hotspots with names similar to legitimate networks and lure unsuspecting users.
‘If you are using public wi-fi, consider using a Virtual Private Network (VPN) to encrypt your data and keep it safe from prying eyes.’
Nightsleeper features a train travelling from Glasgow to London which is hacked and hijacked
And Jake Moore, global cybersecurity adviser at Eset, said the incident appeared to be an attempt to draw attention to a lack of security, rather than a ‘genuine threat’.
‘Cyber attacks often occur in stealth mode and attempt to carry out activities without anyone noticing anything until the real damage is complete,’ he said.
‘However, by defacing the wifi logon screen with a terror message suggests that the motive may simply be to test its general security rather than to pose a genuine threat – and in this case, via the weakest link in the supply chain and most likely via a phishing campaign.
‘Financially motivated cyber criminals are out to find data they can either steal or sabotage with a ransom demand put in place.
‘However, it seems nothing more has been demanded here other than more security in place following a separate attack on TfL earlier this month.’
Passengers at London Euston this morning, one of the stations affected by the cyber attack
A Network Rail spokeswoman told MailOnline: ‘We are currently dealing with a cyber security incident affecting the public wi-fi at Network Rail’s managed stations.
‘This service is provided via a third party and has been suspended while an investigation is underway.’
Network Rail manages 20 stations across the network, with London St Pancras the only one that has not been affected by the attack.
And a British Transport Police spokesman said: ‘We received reports at around 5.03pm yesterday of a cyber-attack displaying Islamophobic messaging on some Network Rail Wi-Fi services.
‘We are working alongside Network Rail to investigate the incident at pace.’
Also today, a spokeswoman for Telent said: ‘We are aware of the cyber security incident affecting the public Wi-Fi at Network Rail’s managed stations and are investigating with Network Rail and other stakeholders.
British Transport Police at London King’s Cross station today after the cyber attack on wi-fi
‘We have been informed there is an ongoing investigation by the British Transport Police into this incident, so it would not be appropriate to comment further at this stage.’
While the cyber attack itself did not appear to be affecting train services today, there was major disruption on Avanti West Coast and TransPennine Express services.
All lines between Lockerbie and Carstairs were blocked after an object got caught in the overhead cables, affecting services between Carlisle, Glasgow and Edinburgh.
Elsewhere, flooding continued to disrupt services between Wanborough and Ash in Surrey – while a tree was blocking the line between Hebden Bridge and Todmorden in West Yorkshire.
It comes after a separate cyber security incident was launched on Transport for London (TfL) on September 1, which saw some customer data accessed.
Network Rail confirmed Manchester Piccadilly is among the affected train stations (file photo)
A 17-year-old boy has been arrested in Walsall on suspicion of Computer Misuse Act offences in relation to the TfL attack.
TfL has been investigating the incident alongside the NCA and said some customer names and contact details had been compromised.
Some Oyster card refund data may also have been accessed in the cyber attack which could include bank account details.
TfL said this could include bank account numbers and sort codes for about 5,000 customers, and it has directly contacted these people with guidance.
Meanwhile the Football League has issued an alert to clubs following a series of cyber attacks which have seen breaches at both Bristol City and Sheffield Wednesday in recent weeks.
Hackers are thought to be targeting many of the league’s bigger clubs, hunting for the personal data of season ticket holders and those on email lists.
Should they be successful, that information, which can include passwords, is often sold on to a variety of buyers which are thought to include organised crime networks who can then attempt to use the data to carry out a variety of scams.
A further cyber attack back in June led to more than 10,000 NHS appointments being cancelled after pathology services provider Synnovis was targeted.
The hackers were thought to have obtained confidential medical information and blood test results of more than 100,000 patients.
Last month, they were ordered by a High Court judge to ‘unmask’ themselves and return or delete the stolen data.
And in July, Microsoft suffered a service outage which affected some of its apps and features which was sparked by an attempted cyber attack.
The US technology firm said problems on its Azure cloud platform had been triggered by a distributed denial-of-service (DDoS) attack, where hackers try to knock a platform offline by flooding it with traffic until it can no longer cope.