, ,

Network Rail cyber figures expose infrastructure risk

Network Rail blocked more than seven million malicious emails in four months, according to FOI based data.

Network Rail cyber figures expose infrastructure risk
Summary
  • Network Rail reportedly blocked more than 7.1 million malicious emails between December 2025 and March 2026.
  • The figures include phishing, malware laden emails, spam, and edge blocked threats.
  • Rail cyber risk is a business continuity issue for public services, commuters, and the wider economy.

Network Rail reportedly blocked more than 7.1 million malicious emails over four months, underlining how cyber pressure on transport infrastructure has become part of the operating reality for public services rather than an occasional crisis.

The figures, obtained through freedom of information based research and carried by ITPro and Rail Business Daily, cover the period between December 2025 and March 2026. The total included 331,352 phishing emails, 1,412 malware laden emails, 2,066,392 spam emails, and 4,730,158 edge blocked emails.

The numbers need careful handling. Blocked malicious emails are not the same as successful attacks, and large organisations routinely stop huge volumes of hostile traffic before it reaches users. Yet the scale is still relevant because transport networks combine high public dependence, sprawling supplier ecosystems, operational technology, legacy systems, and valuable personal and operational data.

Rail is a particularly sensitive cyber target. Disruption can prevent people getting to work, delay freight, affect emergency journeys, undermine public confidence, and impose costs across the wider economy. The UK has already seen the consequences of transport cyber incidents, including the 2024 Transport for London attack, which caused significant operational disruption and remediation costs.

The threat surface is broad. Corporate IT systems handle email, payroll, HR, procurement, and customer communications. Operational systems support signalling, stations, maintenance, asset management, and service planning. Suppliers and contractors may connect into parts of the environment. Public Wi-Fi, passenger information systems, retail services, and mobile apps add further exposure.

Not every phishing email threatens trains directly. The larger concern is that attackers often move from ordinary user compromise into more sensitive systems through credentials, supplier access, remote management tools, or poorly segmented networks. Cyber resilience for rail cannot be reduced to endpoint protection or staff awareness campaigns.

Business continuity gives the story its weight. Critical national infrastructure is judged not only by whether it can prevent attacks, but by whether it can detect, contain, recover, and keep essential services running. In rail, a cyber incident can become a public service incident quickly because the system depends on coordination between infrastructure operators, train companies, technology suppliers, telecoms providers, police, regulators, and government.

European policy reflects the same shift. The EU’s Cyber Europe 2026 exercise tested responses to attacks on rail and maritime networks, while the UK is preparing broader cyber resilience reforms. Transport operators are increasingly expected to show that cyber risk is managed as an operational risk, not a technical function buried inside IT.

The figures also show why public sector and infrastructure organisations remain attractive to attackers. They are visible, time sensitive, and politically exposed. A successful intrusion can create pressure to restore services quickly, especially where passengers, businesses, or supply chains are affected. That makes resilience planning, offline recovery, and clear incident communication as important as prevention.

Network Rail and comparable operators face familiar but hard questions: whether identity controls are strong enough, whether suppliers are monitored properly, whether operational systems are segmented, whether backups are recoverable, and whether staff are trained for realistic attack paths. The volume of malicious email is only the most visible part of the risk.

The wider economy depends on transport networks working quietly. Cybersecurity is now one of the conditions for that quietness. The reported threat volumes do not prove imminent failure, but they do show that hostile activity against rail infrastructure is constant. Resilience has to be designed for that baseline, not for the comforting assumption that major incidents are rare exceptions.