Oyster Customers Advised to Reset Passwords After Hack

Fraudsters steal thousands of pounds after obtaining account holder details

Transport for London (TfL) lost more than £3,000 after Oyster accounts were hacked in August, it has been revealed this Friday.

Around 2,000 Oyster cards were accessed by cyber criminals, and TfL identified fraudulent activity on 360 accounts.

No customers lost money through the hack, but fraudsters extracted £3,293.97 from the transport authority by making a series of false claims for refunds.

British Transport Police are investigating, and one person has been arrested. Hackers accessed accounts through a criminal technique known as “credential stuffing”.

Login details and passwords obtained from third-party websites were used to access accounts – this is possible when customers use the same password for multiple websites.

This Thursday TfL locked all Oyster accounts, forcing customers to reset their password when they log in. Cards can still be used and topped up in the normal way. The Oyster account system itself has not been compromised, and TfL says the password reset is a precaution.

Dr George Loukas, associate professor of cyber security at the University of Greenwich, said the hack highlighted why customers must use different passwords online. He said it was easy for criminals to check if login details have been used for another site, with cheap software scanning for matches.

Dr Loukas said: “Every time you hear on the news that your favourite online shop, online gaming site or online storage provider has been hacked, you can consider the username and password pairing that you used there as practically public knowledge.”

Shashi Verma, Chief Technology Officer for TfL, said customers were now being asked to reset their passwords as a “precautionary measure”.

He said: “Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe.

“As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in.”

A spokesperson for the British Transport Police (BTP) said: “We have an ongoing investigation into a cyber incident which affected the Oyster platform earlier this year.

“One person has been arrested and released under investigation, while the investigation continues.

“The BTP Cyber Crime Unit is currently undertaking detailed forensic analysis of material secured during the course of their enquiries. This work is being undertaken in collaboration with TfL.”

Transport for London is advising all customers to reset their Oyster account passwords. You can do so here: tfl.gov.uk/reset-password.

Jessie Matthewson - Local Democracy Reporter

November 29, 2019