Oyster card accounts locked with users asked to reset passwords

TfL acts for a second time following August security breach - again blaming the risk of credential stuffing

Oyster card users with online accounts have had their passwords reset by Transport for London - an indication that the August admission of a data breach might be far larger than originally suggested.

TfL chief technology officer Shashi Verma described it as a "precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL website. This is a routine step to enhance the security of our online accounts."

Password resets are typically forced on users to mitigate the risks of a credential stuffing attack. Oyster card users with accounts will need to reset their passwords, with the password being sent to the user's registered email address.

With TfL admitting a security breach in August, but only forcing a wider password reset this week, it raises questions over what has happened in the interim to persuade the organisation to act now.

The August data breach entailed the compromise of around 1,200 customer accounts - not large by the standards of data breaches today.

At the time, the breach only came to light after the online service enabling users to check their balance or top-up their cards was taken down. TfL said that was due to "performance affecting issues", but only later admitted that a compromise had occurred.

It then provided the bare minimum of public information about the breach.

"We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites," a TfL spokesperson said in a statement at the time.

"No customer payment details have been accessed, but as a precautionary measure and to protect our customers' data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place."