Following reported instances of a number of accounts being accessed maliciously earlier this year, all Oyster and contactless customers are being required to reset their website account passwords.
TfL says that it’s a purely precautionary measure, and that there’s no reason to think that the earlier attack has been repeated.
The background is that back in August, TfL became aware that a small number of customers had had their Oyster online accounts accessed maliciously, which TfL believes that this occurred when people used the same password on several websites, and one of those other websites was hacked into, letting hacker into their TfL account using the same password.
Fortunately, no customer payment details were accessed and all affected customers were contacted and informed about this at the time.
TfL says that it is working with the British Transport Police to investigate who is behind the earlier attack, with one person already arrested, and the Information Commissioners Office has been notified.
As a precautionary measure, TfL has now decided to ask all customers to reset their passwords via the TfL website, and the reset will be sent to their registered email account.
Using a different password on every website is a pain, but it’s about the only way of preventing a hacked website letting someone log-in to your account on an otherwise secure website. A password manager tool, which generates random passwords for each website you log into is a good way of reducing that risk, and ianVisits makes use of LastPass as a web browser plug-in. Other password managers exist.
Shashi Verma, Chief Technology Officer at Transport for London said: “Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe. As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in.”
Travel using an Oyster or Contactless care wont be affected, only using the website to check customer account details.