Transport for London’s (TfL) was forced to temporarily suspend the website for its Oyster system after a credential stuffing attack  that accessed 1,200 accounts maliciously.

TFL’s online Oyster travel smartcard system was this week accessed by online larcenists who used stolen customer login credentials from other websites.

The transport authority has said that the cyber intrusions on passengers who have used email address and password combinations for their Oyster accounts were a result of them using the same login details for one or more hacked websites.

“We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites,” a TFL spokesperson said adding that that the passwords were not leaked by TfL or its services. Instead, they had been stolen from another website and then were used to login to the Oyster service.

“No customer payment details have been accessed, but as a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place. We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites,” the spokesperson said.

The BBC reported that TfL said it would be contacting customers whose accounts were affected and had taken the issue to the National Cyber Security Centre and British Transport Police.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

A number of customers took to Twitter to report the problem with their online Oyster accounts. TfL replied: “Oyster online is currently unavailable whilst we investigate performance issues impacting users.”

It said the online system should be up and running by August 9.

In advice to travellers, TfL said customers can still update their Oyster cards using its app and at ticket machines in stations. TfL also has an online guide for customers should they face any cyberattack.

Credential stuffing exploits huge volumes of stolen passwords on the dark web and affects users who tend to reuse the same logins across multiple sites. Attacks are estimated to cost EMEA firms as much as $4m annually.

While this attack was on customer’s accounts, cybersecurity firm Cylus‘ CEO Amir Levintal believes train companies must be prepared for any potential online threats. He said: “As train systems incorporate more advanced technologies, becoming more and more connected, they also become far more vulnerable to cyber-attacks. The potential dangers are chilling: hackers can take over trains or switching systems, putting the lives of countless passengers in immense danger. The economic implications of hackers shutting down transit systems, which move millions of people on a daily basis, are also calamitous.

“What’s worse, all of these potentially devastating results and the leverage they give hackers for ransomware attacks make train systems high-value targets for malicious actors the world over.

“Over the years, the rail industry has invested heavily in technologies for safety, control, and passenger convenience. The dramatic rise in threat levels has caused both the industry and regulators to understand the urgent need for specific cyber solutions suitable for rail,” said Levintal.