The Greater London Authority must urgently overhaul its cyber security arrangements in the wake of a series of high profile attacks across the public sector, the GLA Oversight Committee has warned in a new report prompted by the 2024 cyber attack on Transport for London (TfL).
The investigation, led by Committee Chair Emma Best, was triggered after a “significant cyber attack on TfL that also affected the GLA” in August 2024, which TfL said caused it £32m of damage and disrupted TfL services for three months.
The Oversight Committee’s report noted that local government now reports “three to four times more cyber incidents than national government”, with recent attacks on the British Library, NHS Synnovis and Hackney Council demonstrating the scale of operational and financial damage that can result.
The Committee warned that the GLA must “recognize the scale of cyber threats and take proactive measures to mitigate risks”.
It set out eleven recommendations, including:
• developing a benchmarking approach for cyber security investment
• regular reporting on legacy systems and supply chain risks
• ensuring all supply chain organisations achieve Cyber Essentials Plus
• assessing the effectiveness of staff training and monitoring completion rates
• conducting regular cyber security exercises and improving incident reporting
The report concludes that the GLA must adopt a more systematic, better resourced and more transparent approach to cyber security if it is to withstand the rapidly evolving threat landscape.
However, it also reported that many public authorities, especially those in London, were struggling to compete with private sector salaries for technical staff. TfL’s chief technology officer Shashi Verma described London’s technology recruitment market as “particularly difficult” with cyber roles affected by a “national skills shortage”. The GLA is now restructuring its workforce to improve career development and pay for IT and cyber roles.
Legacy systems “significant risk”
Legacy technology is identified as one of the most serious vulnerabilities facing public authorities. The report notes that the British Library attack was worsened by outdated systems, while TfL has faced criticism for software “compatible with Internet Explorer 6”.
Verma acknowledged the challenge of managing a vast estate with entrenched legacy systems, warning that transitioning to modern security practices requires “significant investment” and long term planning.
The Committee also found that supply chain vulnerabilities are increasingly exploited by attackers. Understanding the full chain is “complex, as it includes multiple layers of suppliers”. The report calls for all supply chain organisations to complete the NCSC’s Cyber Essentials Plus certification.
The report emphasised that in addition to improving technology, a strong cyber security culture is described as essential, with committee member Dianne Tranmer warning that “human error can undermine even the best technical defences”. Phishing remains the most common attack vector, and ransomware incidents doubled in 2025.
Leadership engagement with the issue is improving, the committee said, with both TfL and the GLA listing cyber security as a top corporate risk. Gareth Miles, the Head of Crime at the National Fraud Intelligence Bureau with the City of London Police, who contributed to the report, emphasised the need for robust governance and risk management frameworks tp combat the risk of cyber attacks.
TfL attack: £32m impact
The September 2024 attack on TfL was described as “sophisticated” and resulted in costs estimated at £32 million. Immediate containment required shutting down services, and although public facing disruption was limited, the attack caused a data breach affecting 5,000 customers.
TfL received commendations from the NCSC for its response, despite ongoing concerns about legacy systems. Two UK teenagers Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, alleged to be part of an online criminal collective known as Scattered Spider, were charged with conspiring to commit unauthorised acts against Transport for London (TfL) under the Computer Misuse Act in connection with the attack. Both pleaded not guilty in November 2025 and are on remand awaiting trial in June 2026.
At the time, the head of the NCA’s National Cyber Crime Unit, Paul Foster, warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider was a clear example.
