Cyber Incident Victim: Transport for London

Transport for London (TfL) temporarily suspended its Oyster card website around August 8-9, 2019, following a credential stuffing attack targeting customer accounts. Attackers exploited login credentials previously compromised from non-TfL websites to gain unauthorized access to Oyster online accounts. The Oyster system, used for contactless travel across London’s Tube, buses, and Overground services, allowed customers to check balances and top up funds online or via ticket machines. TfL confirmed that only a small number of customers were directly impacted by the account breaches. The organization emphasized that no payment card details were accessed during the incident, as financial data was not stored within the compromised accounts. Service disruption occurred when TfL proactively took the Oyster website offline, displaying a ‘down for maintenance’ message to users. This action was implemented to prevent further unauthorized access while investigators assessed the breach.

TfL’s incident response included temporarily suspending all online contactless and Oyster accounts as a precautionary measure to protect customer data. The organization committed to contacting identified affected users directly while deploying additional security controls before restoring services. Public communications advised customers against password reuse across multiple websites, acknowledging that credential recycling enabled the attackers’ success. No evidence suggested a direct breach of TfL’s internal systems; the compromise stemmed from credentials exposed through unrelated third-party breaches. The suspension caused inconvenience to users reliant on online account management, though physical ticket machines remained operational for balance checks and top-ups. TfL prioritized restoring services only after implementing enhanced security measures to mitigate similar attacks.