Mind the password gap: what the TfL Oyster breach tells us about the state of password management in the commuting population

Oyster card

Tim Galligan, general manager of EMEA operations at SailPoint explains what happens what password duplication can mean for commuters

We all rely on Oyster cards to get us around the city – but for some TfL customers, password duplication has led to suspended service on all lines. Despite the £2.3bn commuters spend on TfL journeys each year using Oyster, some are still tempted enough to reuse their passwords from other sites and leave their personal credentials (and data) vulnerable.

User credentials are the new attack vector. Once one is cracked, there is the potential to take over the rest of someone’s digital logins, too. This is particularly troubling if users are sharing passwords between work and personal accounts as they could unknowingly be exposing their employer in the process.

Hackers are all over that fact – identity fraud is often the result of poor ‘password hygiene’ with individuals using the same user logins and passwords across numerous accounts – a very common occurrence. In our surveys, a whopping 65% of employees admit to routinely reusing passwords across multiple applications and websites. With such weak passwords in place, cyber criminals are able to easily access account information and steal personal credentials, off the back of just a few phishing emails or SMSing, with the latter being is a form of fraud that uses mobile phone text messages.

The good news is that 54% of organisations have an identity programme. That figure suggests the scales are tipping in favour of a comprehensive corporate approach to security, which must include identity. The bad news is, you can’t govern what you can’t see, and so for some organisations their employees’ Oyster passwords have become a security blind spot.

And what if they signed up with a password they used in their previous job? Keeping up with employees and their access is incredibly complex for IT teams. It becomes even more challenging when you think about the number of organisational changes that happen on a daily basis, as users join or leave the organisation or change job responsibilities and roles. In many cases, permanent employees may still have their former access privileges long after they have left the company. These ‘orphaned’ accounts, still technically active but with no signed owner, are particularly dangerous as their access to systems and files appears to be legitimate and within an organisation’s normal day-to-day access pattern.

With many of us topping up our Oyster credit in the office before the evening commute, we all need to mind the password gap. While passwords can be changed if compromised, organisations must more diligently prepare to safeguard data, that can’t be replaced if compromised. With breaches reported already, the surest form of protecting digital identities today is by governing well, to reduce uncertainty and risk.

Subscribe to our newsletter

Don't miss new updates on your email