TfL cyber attack means contactless roll out at 47 London commuter stations delayed
National Rail has said that the planned rollout of contactless payment at 47 railway stations in the South East has been delayed due to the ongoing cyber attack against Transport for London (TfL). The move is funded by £27 million from Central Government.
Customers will be able to ditch tickets at each station when the changeover does happen, which had been scheduled from September 22, and then in stages throughout 2025. Stations on Chiltern Railways, Greater Anglia, and GTR are included.
Stansted Airport and other Greater Anglia stations are set to go live in Phase 2 from the second half 2025. Currently, customers on the Stansted Express have to buy a paper or digital ticket before their journey.
READ MORE: TfL explains 'delays' to 162 homes at London Underground station as line upgraded
But National Rail says a new date will now need to be arranged for the stations that were set to go live from September 22. It said on X on Thursday, September 12: "Due to an ongoing cyber security incident @TfL, pay as you go with contactless will no longer be launching at 47 stations across the South East on the 22nd of September.
"We are working with TfL to reschedule the launch and will provide an update as soon as we can."
TfL confirmed on Thursday afternoon that the bank details of 5,000 customers have been hacked during the cyber attack which has been plagued its systems since September 1. Despite officials insisting last week there was no evidence customer data had been compromised, TfL now admits some Oyster card refund data has been accessed.
This could include both bank account numbers and sort codes. A 17-year-old boy has been arrested in Walsall on suspicion of cyber offences in relation to the attack.
'Temporary and limited disruption is possible to some services'
Shashi Verma, TfL's Chief Technology Officer, said: "We have notified the Information Commissioner's Office and are working at pace with our partners to progress the investigation. We will provide further updates as soon as possible.
"In addition, as part of the measures we have implemented to deal with the cyber incident, we have today put in place additional measures to improve our security. This includes an all-staff IT identity check. Throughout this planned process we have ensured that all safety critical systems and processes have been maintained.
"We do not expect any significant impact to customer journeys as we carry out this process. However, temporary and limited disruption is possible to some services so, as ever, please check before you travel.
"The security measures we are taking mean that it is now not possible for us to deliver the necessary system changes to enable 47 additional stations outside London to benefit from pay as you go with contactless on 22 September as planned. We are working with DfT and the Rail Delivery Group to reschedule and we apologise for the delay.
"We will continue to keep our customers and our staff updated. I would like to apologise for the inconvenience this incident may cause customers and I thank everyone for their patience as we respond to this incident."
Get the latest travel news from London's roads, trains and buses with our new London Traffic and Travel newsletter. You can sign up HERE.