TfL cybersecurity breach delays contactless payment rollout

The public transport authority said it was working to identify data accessed during the incident and would be contacting at least 5,000 customers.

A cybersecurity incident affecting Transport for London (TfL) has delayed the rollout of contactless payment systems across several stations outside of the UK’s capital city as authorities continue to assess the impact of the breach.

Contactless payment was scheduled to expand to 47 stations on the Greater London transport network on 22 September but has now been pushed back indefinitely as TfL works with the Department for Transport and the Rail Delivery Group on a new timeline.

TfL’s announcement is the latest update in the saga, which has been affecting the company’s services since the cyberattack was identified on 1 September, with authorities now believing customer names, contact details, and possible bank details were accessed during the breach.

TfL’s chief technology officer Shashi Verma said: “As part of the measures we have implemented to deal with the cyber incident, we have today put in place additional measures to improve our security. This includes an all-staff IT identity check. 

“Throughout this planned process, we have ensured that all safety critical systems and processes have been maintained.” 

Around 5,000 customers will be contacted about a possible breach of Oyster card refund data according to TfL, with details such as bank account numbers and sort codes believed to have possibly been accessed during the incident.