Transport for London (TfL) has taken its Oyster system offline to protect customers’ data after discovering accounts had been accessed by criminals.
According to TfL, a small number of customers had their accounts accessed after their login credentials were compromised when using non-TfL websites.
The company added: No customer payment details have been accessed, but as a precautionary measure and to protect our customers’ data, we have temporarily closed online contactless and Oyster accounts while we put additional security measures in place.
We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.
Even staff access to the online Oyster system has been suspended, according to online technology magazine The Register, which first reported the incident.
A spokesperson for TfL told Sky News that 1,200 customer accounts were accessed maliciously but stressed that there had not been a compromise of the network, with users themselves responsible for the breach by recycling their credentials.
Despite this, the local government body has acknowledged its ability to tackle so-called credential stuffing attacks by taking down the online accounts portal for maintenance.
A spokesperson for TfL also told Sky News they had been in touch with the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
An ICO spokesperson told Sky News: We are aware of an incident concerning Transport for London and will be making enquiries.
Last November the ICO fined Uber £385,000 for failing to protect customers’ personal information which was leaked in a credential stuffing attack.
Uber’s situation had been considerably more to the detriment of its customers, however – the company actually paid off the hackers who stole data belonging to 57 million users, and then kept quiet about the breach.
It is understood the Uber incident involved the hackers gaining access to customer details via administrator accounts, while the TfL breach involved the customer credentials being taken from elsewhere.
(c) Sky News 2019: TfL takes Oyster system offline after customer accounts accessed