#Privacy: TfL enforces mandatory password reset for its Oyster and contactless accounts

Transport for London (TfL) has locked all Oyster and contactless accounts following a data breach incident which took place earlier this year.

In August, a credential stuffing attack resulted in threat actors targeting 1,200 Oyster card account holders and taking control of them for a brief moment.

Subsequently, TfL locked all Oyster and contactless accounts on November 28th to reduce the risk from credential stuffing to all users on the system.  

“This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites. This is a routine step to enhance the security of our online accounts,” said Sashi Verma, CTO, TfL. 

Oyster users are required to reset their password, by using at least eight characters, and a combination of numbers and upper- and lower-case letters, as well as special characters to regain access to their accounts.

Verma added that users can still top up their Oyster cards as normal and travel on TfL services without resetting their passwords. 

The British Transport Police have been enlisted to help investigate the breach in August. The Information Commissioner’s Office has also been notified. 

“Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/