Transport for London has admitted that a cyber-attack on its computer systems affected some customer data, and could include details of Oyster card refunds. 

TfL’s systems were accessed on September 1 and some services were shut down to protect data, including the suspension of Oyster card renewals – including young people’s Zip cards –  and access to live Tube departure boards.

Now it says it will be writing to 5,000 passengers to say that their bank details may have been accessed by the hackers. Additional security checks are also being carried out on TfL staff, which could affect services for a limited period.

TfL’s announcement came as the National Crime Agency said that a 17-year-old had been arrested in Walsall as part of the investigation into the attack. He was questioned by officers and given bail.

The disruption means that plans to expand contactless payments to more National Rail stations outside London have been put on hold.

TfL had been working on behalf of the Department for Transport (DfT)  to enable tap-in, tap-out technology at 47 stations, including on Southeastern services to Sevenoaks, from September 22. It said it was working with the DfT and rail companies to arrange a new start date for the long-delayed project. 

Shashi Verma, TfL’s chief technology officer, said: Although there has been very little impact on our customer so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details, including email addresses and home addresses where provided.

“Some Oyster card refund data may also have been accessed. This could include bank account numbers and sort codes for a limited number of customers. As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.

Southeastern City Beam train
The introduction of contactless to some Southeastern services in Kent has been delayed. Image: The Greenwich Wire

“We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.

“In addition, as part of the measures we have implemented to deal with the cyber incident, we have today put in place additional measures to improve our security. This includes an all-staff IT identity check. Throughout this planned process we have ensured that all safety critical systems and processes have been maintained.

“We do not expect any significant impact to customer journeys as we carry out this process. However, temporary and limited disruption is possible to some services so, as ever, please check before you travel.

“We will continue to keep our customers and our staff updated. I would like to apologise for the inconvenience this incident may cause customers and I thank everyone for their patience as we respond to this incident.”

TfL said a “thorough investigation” continues alongside the National Crime Agency and the National Cyber Security Centre.

Updates are being posted on the TfL website.