large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

TfL takes down Oyster card online service after customer hack

Transport for London has confirmed a number of passengers’ Oyster accounts have been hacked, after customers complained of not being able to access the service online.

The transport authority took the precaution of taking the Oyster system offline after 1,200 customer accounts were compromised. Online contactless and Oyster accounts were temporarily suspended to limit the damage.

That’s a small fraction of the six million online Oyster accounts, which facilitate easy travel in the capital on tube, train, bus and tram, but still a concern for those involved.

“As a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place,” TfL said in a statement.

Related: How to opt out of creepy tube Wi-Fi tracking

TfL believes the breach may have been the result of a third-party breach. The affected users may have used the same logins on other websites, causing the hackers to try their luck on the TfL site.

It said: “We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”

In a statement to The Register, TfL said no customer payment details had been obtained by the hackers, but it is putting additional security measures in place as a precaution.

While the online service is offline, TfL customers can still use their mobile Oyster app to top up their PAYG accounts, while physical top-ups can be made at ticket machines.

The issues began on Wednesday night with customers unable to access the website after the hackers used credential stuffing tactics in order to gain access to accounts. Yesterday, TfL was telling customers of “performance affecting issues”, but only revealed the hack on Thursday.

The transport authority is advising account holders to contact Transport for London if they notice any strange activity on their accounts. All breaches will be reported to the National Cyber Security Centre and British Transport Police.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.