Transport for London has confirmed a number of passengers’ Oyster accounts have been hacked, after customers complained of not being able to access the service online.
The transport authority took the precaution of taking the Oyster system offline after 1,200 customer accounts were compromised. Online contactless and Oyster accounts were temporarily suspended to limit the damage.
That’s a small fraction of the six million online Oyster accounts, which facilitate easy travel in the capital on tube, train, bus and tram, but still a concern for those involved.
“As a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place,” TfL said in a statement.
Related: How to opt out of creepy tube Wi-Fi tracking
TfL believes the breach may have been the result of a third-party breach. The affected users may have used the same logins on other websites, causing the hackers to try their luck on the TfL site.
It said: “We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”
In a statement to The Register, TfL said no customer payment details had been obtained by the hackers, but it is putting additional security measures in place as a precaution.
While the online service is offline, TfL customers can still use their mobile Oyster app to top up their PAYG accounts, while physical top-ups can be made at ticket machines.
The issues began on Wednesday night with customers unable to access the website after the hackers used credential stuffing tactics in order to gain access to accounts. Yesterday, TfL was telling customers of “performance affecting issues”, but only revealed the hack on Thursday.
The transport authority is advising account holders to contact Transport for London if they notice any strange activity on their accounts. All breaches will be reported to the National Cyber Security Centre and British Transport Police.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.