Mind the password gap: what the TfL Oyster breach tells us about the state of password management in the commuting population

Tim Galligan, general manager of EMEA operations at SailPoint explains what happens what password duplication can mean for commuters

We all rely on Oyster cards to get us around the city – but for some TfL customers, password duplication has led to suspended service on all lines. Despite the £2.3bn commuters spend on TfL journeys each year using Oyster, some are still tempted enough to reuse their passwords from other sites and leave their personal credentials (and data) vulnerable.

User credentials are the new attack vector. Once one is cracked, there is the potential to take over the rest of someone’s digital logins, too. This is particularly troubling if users are sharing passwords between work and personal accounts as they could unknowingly be exposing their employer in the process.

Hackers are all over that fact – identity fraud is often the result of poor ‘password hygiene’ with individuals using the same user logins and passwords across numerous accounts – a very common occurrence. In our surveys, a whopping 65% of employees admit to routinely reusing passwords across multiple applications and websites. With such weak passwords in place, cyber criminals are able to easily access account information and steal personal credentials, off the back of just a few phishing emails or SMSing, with the latter being is a form of fraud that uses mobile phone text messages.

The good news is that 54% of organisations have an identity programme. That figure suggests the scales are tipping in favour of a comprehensive corporate approach to security, which must include identity. The bad news is, you can’t govern what you can’t see, and so for some organisations their employees’ Oyster passwords have become a security blind spot.

And what if they signed up with a password they used in their previous job? Keeping up with employees and their access is incredibly complex for IT teams. It becomes even more challenging when you think about the number of organisational changes that happen on a daily basis, as users join or leave the organisation or change job responsibilities and roles. In many cases, permanent employees may still have their former access privileges long after they have left the company. These ‘orphaned’ accounts, still technically active but with no signed owner, are particularly dangerous as their access to systems and files appears to be legitimate and within an organisation’s normal day-to-day access pattern.

With many of us topping up our Oyster credit in the office before the evening commute, we all need to mind the password gap. While passwords can be changed if compromised, organisations must more diligently prepare to safeguard data, that can’t be replaced if compromised. With breaches reported already, the surest form of protecting digital identities today is by governing well, to reduce uncertainty and risk.

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Oyster card

Mind the password gap: what the TfL Oyster breach tells us about the state of password management in the commuting population

We all rely on Oyster cards to get us around the city – but for some TfL customers, password duplication has led to suspended service on all lines
Scroll to Top