Cyber security incident

Following the recent cyber incident, we have been working hard to restore both our internal and customer-focused systems which were impacted by measures introduced as part of our response. We are sorry for the inconvenience this incident may cause and thank you for your patience.

Significant progress has been made and we are taking a phased approach to re-opening photocard applications to manage demand and process applications as quickly and efficiently as possible.

We have begun accepting applications for 18+ Student Oyster photocards, 18-25 Care Leaver Oyster photocards and Apprentice Oyster photocards.

Our proactive measures mean that:

  • Applications for new 5-10, 11-15 and 16+ Zip Oyster photocards and 60+ London Oyster photocards are suspended but are due to open shortly
  • Children with expired 5-10 or 11-15 Zip Oyster photocards can continue to travel on TfL and National Rail services (where normally accepted) up until and including Tuesday 31 December 2024, by showing their card to staff. This includes 16-year-olds whose 11-15 Zip Oyster photocard expired on 30 September 2024. We will inform expired 5-10 and 11-15 Zip Oyster photocard customers when they can apply for their new Zip Oyster photocard. Posters highlighting this are up at all TfL stations and station staff and bus drivers are regularly reminded of this acceptance.
  • 16+ Zip Oyster photocards are for children aged 16-18 and expire in the year of a pass holder's 18th birthday. Expired photocards will not be accepted beyond their expiry date. If your card has expired, you should use an alternative payment method for your travel.
  • We're currently unable to process 60+ photocard yearly address checks. Your photocard will keep working as normal. We'll let you know when we can run these checks again

Oyster and contactless

  • Online journey history for customers using contactless is currently unavailable through any of our platforms.
  • Online journey history for customers using Oyster cards is available on the Contactless and Oyster website
  • We're currently unable to register Oyster cards to customer accounts on our website or the Oyster and contactless app
  • We're currently unable to process payments on the Oyster and contactless app. You can still make payments on this website and in stations
  • We are able to process applications to replace lost Oyster photocards by phone. Please call us on 0343 222 1234 between 08:00-20:00 every day and select option 1 (charges may apply)

Refunds

  • We're currently unable to issue refunds for incomplete pay as you go journeys made using contactless, so always remember to touch in and out. Oyster customers can self-serve online on the Contactless and Oyster website
  • Please keep a record of fares paid as it is our intention to refund customers for additional travel costs incurred while our Oyster photocard website is unavailable
  • We will make a temporary change to keep data on journeys made using Oyster cards for longer than the usual 8/9 weeks, in order to support future customer refunds and access to journey history
  • Once new photocards have been issued, we will provide information on how to apply for refunds for any addition travel costs incurred due to not being able to apply for a photocard
  • We are currently unable to respond to some Santander Cycles customer enquiries, including processing refunds for customers who have been overcharged for using Santander Cycles. Work to restore these systems is underway and we will keep customers up to date as this work progresses

Many of our staff have limited access to systems and, as a result, there will be some delays responding to any online enquiries

For the latest details on Oyster photocards, check our photocard applications page.

We are conducting a thorough investigation into the incident, alongside the National Crime Agency and the National Cyber Security Centre. Our investigations identified that certain customer data was accessed and we have contacted customers who have been affected. If you have received direct communication from us that your personal information was accessed and you would like to verify the contents of this communication, please speak to one of our customer services advisers on 0343 222 1234.

Always be alert to approaches from anyone claiming to have your data and to any other suspicious calls or emails, particularly if you are asked to provide personal or financial information.

If you are contacted by someone claiming to have your data, you should contact Action Fraud, the UK's national reporting centre for fraud and cybercrime, on 0300 123 2040.

The National Cyber Security Centre has further guidance for individuals and families on data breaches.

We will continue to keep you updated.

Last reviewed 8 November 2024