Bank details for 5,000 TfL passengers accessed in cyber attack

The National Crime Agency has this afternoon announced that it has traced the source of the cyber attack against Transport for London to a teenager living in Walsall in the West Midlands.

The news comes as TfL has admitted for the first time that as many as 5,000 regular passengers on the capital’s bus, Tube, Overground and Tram networks may have had their banking details illegally accessed.

Of those affected, “This includes some customer names and contact details, including email addresses and home addresses where provided,” TfL said. Some Oyster card refund data may have also been accessed, “possibly including bank account numbers and sort codes for a limited number of customers”.

It was reported yesterday that TfL has suspended all Oyster card renewals temporarily, as a precaution because of the cyber attack.

Today, the NCA issued a statement: “The 17-year-old male was detained on suspicion of Computer Misuse Act offences in relation to the attack, which was launched on TfL on September 1.”

The NCA says it is working with TfL and the National Cyber Security Centre “to manage the incident and minimise any risks”.

The teenager, who is not yet old enough to be named in the media, was arrested on September 5, questioned and bailed.

Paul Foster, the head of the NCA’s cyber crime unit, said: “Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems.

“The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co-operation with our investigation, which remains ongoing.”

Apologising for the inconvenience caused to London’s public transport passengers, TfL said this afternoon: “We are doing all we can to protect our services and secure our systems and data.”

As a result of TfL’s responses to the hack attack:

  • Live Tube arrival information is not available on some digital channels, including TfL Go and the TfL website. In-station and journey-planning information is still available
  • Applications for new Oyster photocards, including Zip cards, have been temporarily suspended. “If you have been unable to apply, please continue making your journeys as usual and keep a record of any fares paid. We may be able to arrange a refund once the incident has been resolved and you receive your new photocard.”
  • ⁠If you travel using a contactless payment card, you won’t be able to access your online journey history
  • TfL is unable to issue refunds for incomplete pay-as-you-go journeys made using contactless, so passengers need to remember to touch in and out. Oyster customers can self-serve online.

“We’re also undertaking an all-staff IT identity check,” TfL said. “Although we don’t expect any significant impact to customer journeys as we carry out this process, temporary and limited disruption is possible to some services. Please check before you travel.”

The TfL and NCA investigation has discovered some possible illegal access to Oyster card refund data.

“Although there has been very little impact on our customers so far, the situation is evolving and our investigations have identified that certain customer data has been accessed,” TfL said.

“This includes some customer names and contact details, including email addresses and home addresses where provided.

“Some Oyster card refund data may have also been accessed. This could include bank account numbers and sort codes for a limited number of customers (around 5,000).

“If you are affected, we will contact you directly as soon as possible as a precautionary measure, and will offer you support and guidance.

“We will continue to keep you updated. We are sorry for the inconvenience this incident may cause and thank you for your patience.”


Inside Croydon – If you want real journalism, delivering real news, from a publication that is actually based in the borough, please consider paying for it. Sign up today: click here for more details


  • If you have a news story about life in or around Croydon, or want to publicise your residents’ association or business, or if you have a local event to promote, please email us with full details at inside.croydon@btinternet.com
  • As featured on Google News Showcase
  • ROTTEN BOROUGH AWARDS: In January 2024, Croydon was named among the country’s rottenest boroughs for a SEVENTH successive year in the annual round-up of civic cock-ups in Private Eye magazine

About insidecroydon

News, views and analysis about the people of Croydon, their lives and political times in the diverse and most-populated borough in London. Based in Croydon and edited by Steven Downes. To contact us, please email inside.croydon@btinternet.com
This entry was posted in Commuting, London-wide issues, TfL, Tramlink, Transport and tagged , , , , . Bookmark the permalink.

4 Responses to Bank details for 5,000 TfL passengers accessed in cyber attack

  1. Johng says:

    It seems the ease at which a teenager can hack TfL is the major cause of concern and he should be employed by TfL to test their security not prosecuted by them. It seems TFL staff need a real shake up and monitoring.

  2. Ev says:

    Sadly this is more widespread in cyber payment than is reported, When the option of cash is taken away everyone is up for ransom, and not in just financial terms, but in that personal data as well. This is the price that is paid for progress. If your wallet is stolen or lost it is only you who is affected. A cyber attack can compromise millions.

  3. So, a spotty teenager has rained on Mayor’s Khan’s self-satisfied parade. I can’t condone this boy’s actions but I don’t trust TFL to keep our personal data safe. In March last year they refused to answer a Freedom of Infoirmation request about what personal data they held on their customers.

Join the conversation here