Transport for London’s (TfL) was forced to temporarily suspend the website for its Oyster system after a credential stuffing attack that accessed 1,200 accounts maliciously.
TFL’s online Oyster travel smartcard system was this week accessed by online larcenists who used stolen customer login credentials from other websites.
The transport authority has said that the cyber intrusions on passengers who have used email address and password combinations for their Oyster accounts were a result of them using the same login details for one or more hacked websites.
“We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites,” a TFL spokesperson said adding that that the passwords were not leaked by TfL or its services. Instead, they had been stolen from another website and then were used to login to the Oyster service.
“No customer payment details have been accessed, but as a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place. We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites,” the spokesperson said.
The BBC reported that TfL said it would be contacting customers whose accounts were affected and had taken the issue to the National Cyber Security Centre and British Transport Police.
A number of customers took to Twitter to report the problem with their online Oyster accounts. TfL replied: “Oyster online is currently unavailable whilst we investigate performance issues impacting users.”
Hi Alessandra, Oyster online is currently unavailable whilst we investigate performance issues impacting users. We hope to have service restored later this evening but I can’t specify a time, it might be best to log in again tomorrow. Sorry about the inconvenience caused, Tariq
— Transport for London (@TfL) August 7, 2019
It said the online system should be up and running by August 9.
(2/2) Web accounts are likely to remain unavailable for the rest of the evening but should be back online tomorrow morning. Thanks, Tariq
— Transport for London (@TfL) August 8, 2019
In advice to travellers, TfL said customers can still update their Oyster cards using its app and at ticket machines in stations. TfL also has an online guide for customers should they face any cyberattack.
Credential stuffing exploits huge volumes of stolen passwords on the dark web and affects users who tend to reuse the same logins across multiple sites. Attacks are estimated to cost EMEA firms as much as $4m annually.
While this attack was on customer’s accounts, cybersecurity firm Cylus‘ CEO Amir Levintal believes train companies must be prepared for any potential online threats. He said: “As train systems incorporate more advanced technologies, becoming more and more connected, they also become far more vulnerable to cyber-attacks. The potential dangers are chilling: hackers can take over trains or switching systems, putting the lives of countless passengers in immense danger. The economic implications of hackers shutting down transit systems, which move millions of people on a daily basis, are also calamitous.
“What’s worse, all of these potentially devastating results and the leverage they give hackers for ransomware attacks make train systems high-value targets for malicious actors the world over.
“Over the years, the rail industry has invested heavily in technologies for safety, control, and passenger convenience. The dramatic rise in threat levels has caused both the industry and regulators to understand the urgent need for specific cyber solutions suitable for rail,” said Levintal.