Article Details

Transport for London confirms 5,000 users' bank data exposed, pulls large chunks of IT infra offline. Hauling in 30,000 staff IN PERSON to do password resets. Breaking Transport for London's ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees' passwords will need to be reset via in-person appointments. TfL quietly dropped the claim it made earlier this week that there had been "no evidence" of customer data being compromised in its cyber incident page. A further update has now confirmed that, yes, some customer data might indeed have been accessed. According to TfL: "Some Oyster card refund data may have been accessed. This could include bank account numbers and sort codes for a limited number of customers (around 5,000)." TfL has said it will contact affected customers as soon as possible "as a precautionary measure." While the network continues to run, large chunks of the TfL IT infrastructure have been pulled offline. Live tube arrival information isn't available, applications for new Oyster photocards have been suspended, and refunds for incomplete pay-as-you-go journeys made using contactless. Staff have limited access to systems. The last point is significant since TfL is undertaking an all-staff identity check and resetting 30,000 employee passwords in person. According to the TfL Employee Hub, staff details have been accessed as well as those of customers, although right now TfL only suspects email addresses, job titles, and employee numbers have been looked at. The Register understands that the incident is very much ongoing and another attack was attempted. There has also been an emergency meeting for management regarding the situation and a change in the physical security stance around TfL offices and facilities. TfL is no stranger to identity theft and malware. In 2023, a London Underground worker, using a keylogger, was able to give himself discounts and access the accounts of colleagues. The worker, Lewis Kelly, narrowly avoided a custodial sentence at the time.