I wonder if this is like the Kevin Bacon character in Animal House who keeps saying 'Remain calm, all is well' then gets knocked over and trampled on.
In other words, they would say that wouldn't they.
Transport for London (TfL) – responsible for much of the public network carrying people around England's capital – is battling to stay on top of an unfolding "cyber security incident." Confirmation emerged yesterday evening when TfL said: "We are currently dealing with an ongoing cyber security incident. "The security of our …
So it has a legal requirement to inform its regulator, and the ICO too possibly.
Be interesting to see how this is spun, the NIS Regulations require a breach of an Operator of Essential Services to produce significant reporting and within 72 Hours too.
Watch this space, there can only be more information coming on this breach......
Had an un-registered oyster card since 2003; Needed to claim some Delay Repay, so phoned customer services who helpfully pre-made me an account.
This is what they got back:
I’m deeply unhappy giving TFL this much personal information to get a refund on a service that required no ID or registration, and I will be filing a right to be forgotten request to remove all this data once the delay refund process is complete.
I do Not want my Oyster card linked to any account or payment method, I do Not agree to your online account terms and conditions, and I want this account deleted right away, before I raise a further complaint about setting an account up against my wishes.
resting the urge to send back an I Told You So email today...
Uhh, that's not the takeaway I got from their post - they had an unregistered Oyster, i.e. one that they could manually top up as required, but which wasn't linked to a TfL account and therefore couldn't be administered remotely. This shows clear intent from the user that they do not want TfL to be storing any details, and given that TfL explicitly provide for users using Oysters like this, no problem there.
They then requested a refund of the unused balance on said card, and by the sounds of it *did* supply TfL with the details needed for this to be processed. Again, so far so good.
Their objection seems to have been that, in order to handle the refund, TfL then also took it upon themselves to effectively turn the card into a registered one, with the payment method details now associated with it within TfL's database. THAT'S a no-no - if the user never wanted their details stored by TfL (as their earlier use of the card in unregistered mode rather implies), and if they've then provided TfL with sufficient information to be able to process a one-off refund (again, as seems to have been the case), then there should be no, zero, nil, none, not a single solitary one, excuse for TfL retaining those details any longer than required to deal with the refund, and it's really not difficult to understand why they were a bit pissed off at TfLs actions there.
100% correct, ChrisC: you explained all of that way better than I could.
it was especially galling as they required a scan of a recent utility bill and a passport/driving license to get the refund.
As soon as they actually sort the refund out (They've managed 2 out of 3 so far), I'm filing a right to be forgotten; there is just no need for that amount of PID to be stored for a simple trip on the tube, and that was before they managed to get their systems hacked.
ChrisC got the gist; I gave them bank account details, and they sent part of the payment without issue (missed one of the journeys, so have to yell at them about that)
I resent the fact they want you to register an account (And accept the terms and conditions) for a refund, when they'll happily sell you the ticket without one.
This is exactly the same as you have on many platforms. You want to complain about being mown down by as Uber driver, you need an account to complain, the same for Amazon and pretty much any of the major platforms.
The assumption is that people will just provide the information and not give a stuff.
You can't link National Railcard discounts (usually 1/3 reduction in off-peak fares) with non-Oyster contactless, and all of the special categories (Student, Job-seeker etc.) also only operate with Oyster. TfL have been promising to provide a way to link these to "normal" contactless for years and it's now supposed to come with a later phase of their "Project Oval" Contactless expansion, but I can see why they're not overly keen to prioritise what would be in effect a revenue loss. Meanwhile it's a major pain with many journeys, especially those in the "expanded Contactless but non-Oyster" zones, now requiring a paper ticket to achieve a discounted fare. I'd love to be able to use my SwatchPay watch but sadly not an option until this is sorted.