Cyber security incident

We identified some suspicious activity on Sunday 1 September and took action to limit access. We are conducting a thorough investigation into the incident, alongside the National Crime Agency and the National Cyber Security Centre.

Although there has been very little impact on our customers so far, the situation is evolving and our investigations have identified that certain customer data has been accessed. This includes some customer names and contact details, including email addresses and home addresses where provided.

Some Oyster card refund data may have been accessed. This could include bank account numbers and sort codes for a limited number of customers (around 5,000).

If you are affected, we have contacted you directly as a precautionary measure, to offer you support and guidance.

If you have received direct communication from TfL that your personal information has been accessed as a result of a cyber attack incident and you would like to verify the contents of that communication, please speak to one of our customer services advisers on 0343 222 1234. Unfortunately, given the nature of the investigation and the incident, we cannot directly confirm what data each individual customer may have had accessed.

We are doing all we can to protect our services and secure our systems and data. Our proactive measures mean that:

  • Live Tube arrival information is not available on some of our digital channels, including TfL Go and the TfL website. In-station and journey planning information is still available
  • Applications for new Oyster photocards, including Zip cards, have been temporarily suspended. If you want to replace a lost photocard then call us on 0343 222 1234 between 08:00-20:00 every day and select option 1 (charges may apply)
  • Please keep a record of fares paid as it is our intention to refund customers for additional travel costs incurred while our Oyster photocard website is unavailable
  • Children with expired 5-10 or 11-15 Zip Oyster photocards should show their card to staff at Tube, DLR, London Overground, Elizabeth line and National Rail stations (where normally accepted) and when boarding buses or to tram revenue inspectors. Staff will accept expired 5-10 Zip Oyster and 11-15 Zip Oyster photocards until 31 October. This includes 16-year-olds whose 11-15 Zip Oyster photocard expired on 30 September 2024. We will inform expired 5-10 and 11-15 Zip Oyster photocard customers when they can apply for their next Zip Oyster photocard
  • We're currently unable to process 60+ photocard yearly address checks. Your photocard will keep working as normal. We'll let you know when we can run these checks again
  • Oyster and contactless customers - online journey history is currently unavailable through any of our platforms
  • We're currently unable to process payments on the Oyster & contactless app. You can still make payments on this website and in stations
  • We're currently unable to register Oyster cards to customer accounts on our website or the Oyster and contactless app
  • We're currently unable to issue refunds for incomplete pay as you go journeys made using contactless, so always remember to touch in and out. Oyster customers can self-serve online
  • Many of our staff have limited access to systems and, as a result, there will be some delays responding to any online enquiries

We're also undertaking an all-staff IT identity check. Although we don't expect any significant impact to customer journeys as we carry out this process, temporary and limited disruption is possible to some services. Please check before you travel.

Always be alert to approaches from anyone claiming to have your data and to any other suspicious calls or emails, particularly if you are asked to provide personal or financial information.

If you are contacted by someone claiming to have your data, you should contact Action Fraud, the UK's national reporting centre for fraud and cybercrime, on 0300 123 2040.

The National Cyber Security Centre has further guidance for individuals and families on data breaches.

We will continue to keep you updated. We are sorry for the inconvenience this incident may cause and thank you for your patience.

Last reviewed 4 October 2024