Barcelona Metro Security Concerns Trigger Removal of 700+ Legacy Ticket Machines
Published
- Ticketing machines scrapped: Barcelona Metro begins removing over 700 outdated ticket terminals.
- Replacing old devices: Legacy systems are being replaced to reduce the attack surface and exploitation.
- Infosec Team Upgrades: TMB begins decommissioning vulnerable machines to futureproof rail infrastructure.
The Barcelona metro is set to scrap over 700 ticket-issuing terminals after security teams warned they were running legacy, end-of-life systems vulnerable to digital exploitation. The outdated hardware and unsupported software stack pose a serious cybersecurity threat.Â
The ongoing use of such systems could expose data related to its passengers, payment, and operations to the risk of compromise.
Large-Scale Hardware Decommissioning for Cybersecurity
The removal of the machines will be carried out in stages, as part of a broader cybersecurity effort, signalling a proactive initiative by TMB’s information security department.
According to La Razón, citing Transports Metropolitans de Barcelona (TMB), the transit agency is decommissioning obsolete ticket machines used for issuing paper tickets and T-mobilitat cards throughout the network.
The metro network, which transports millions of passengers daily, is set to migrate toward modernized kiosks and digital payment infrastructure to reduce cyber risks. However, TMB has not yet commented on how many physical sales points will remain operational or whether station-based customer service will be expanded.
TMB’s plan involves rolling out newer, hardened terminals over time, but not all existing in-station sale points will return in the upgraded layout.
What This Could Mean for Travelers
With fewer manned stations, travelers may find themselves unable to buy tickets if they lack compatible mobile payment methods. Tourists unfamiliar with digital ticketing could face last-minute fare issues.Â
TMB has not confirmed any cyber-intrusion or data breach involving the ticket machines. The decision is described as preventive and risk-mitigating.
Previous Cyberattacks Due to Legacy Systems
In the U.K., over 600 touchscreen ticket machines across Northern Rail were targeted by ransomware shortly after installation, due to older, legacy software components still present in the ticketing backend.
Similarly, in 2024, Transport for London (TfL) suffered a cybersecurity breach that exposed customer bank details, a disruption that authorities attributed in part to outdated systems.
Cyberattacks on rail and travel infrastructure not only disrupt services, as seen when Ukrzaliznytsia, Ukraine’s railway operator, suffered a multi-level hack that forced all ticketing entirely offline, but also expose systemic security risks that go beyond transit delays
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular