Press "Enter" to skip to content

TfL takes Oyster system offline after customer accounts accessed

Transport for London (TfL) has taken its Oyster system offline to protect customers’ data after discovering accounts had been accessed by criminals.

According to TfL, a “small number” of customers had their accounts accessed “after their login credentials were compromised when using non-TfL websites”.

The company added: “No customer payment details have been accessed, but as a precautionary measure and to protect our customers’ data, we have temporarily closed online contactless and Oyster accounts while we put additional security measures in place.

“We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”

Even staff access to the online Oyster system has been suspended, according to online technology magazine The Register, which first reported the incident.


A spokesperson for TfL told Sky News that 1,200 customer accounts were “accessed maliciously” but stressed that there had not been a compromise of the network, with users themselves responsible for the breach by recycling their credentials.

Despite this, the local government body has acknowledged its ability to tackle so-called “credential stuffing” attacks by taking down the online accounts portal for maintenance.

More from London Major power cut leaves large parts of England without electricity PC stabbed in head with machete in ‘unprovoked and frenzied’ attack Abbey Road: The story behind the famous cover Murder arrest after Dorothy Woolmer, 89, found dead at her Tottenham home Tate Modern witnesses describe harrowing moment child is thrown from 10th floor Four injured in gas explosion at block of flats in south London

A spokesperson for TfL also told Sky News they had been in touch with the National Cyber Security Centre and the Information Commissioner’s Office (ICO).

An ICO spokesperson told Sky News: “We are aware of an incident concerning Transport for London and will be making enquiries.”

Last November the ICO fined Uber £385,000 for failing to protect customers’ personal information which was leaked in a credential stuffing attack.

Uber’s situation had been considerably more to the detriment of its customers, however – the company actually paid off the hackers who stole data belonging to 57 million users, and then kept quiet about the breach.

It is understood the Uber incident involved the hackers gaining access to customer details via administrator accounts, while the TfL breach involved the customer credentials being taken from elsewhere.


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *