Bank account details may have been stolen in major cyberattack, TfL says

Transport for London (TfL) has revealed customer’s personal data, including names, home addresses and possibly bank details were stolen as part of a major cyber attack first identified in September.

London’s transport operator had previously said there was no evidence of such data being accessed, but revised its statement on Wednesday afternoon.

Suspicious activity was first identified on Sunday 1 September and has since prompted investigations from the National Crime Agency and the National Cyber Security Centre, which are ongoing.

“Although there has been very little impact on our customer so far, the situation continues to evolve and our investigations have identified that certain customer data has been accessed,” Shashi Verma, TfL’s chief technology officer, said.

“This includes some customer names and contact details (including email addresses and home addresses).”

Verma added that some Oyster card refund data “may also have been accessed,” including bank account numbers and sort codes for a limited number of customers. “As a precautionary measure, we will be contacting these customers directly as soon as possible to advise them of the support we can provide and the steps they can take.”

“We have notified the Information Commissioner’s Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.”

TfL said it did not expect any “significant impact to customer journeys” as it puts in place a series of additional measures to bump up security. However, it means a planned September 22 roll-out of contactless pay as you go at some 47 stations outside of London will be pushed back.

More to follow.