Now reported that the details are compromised.
They both get punished if the perpetrator gets caught, the perpetrator for the illegal act of 'hacking' and the corporate for the illegal act of not adequately protecting data.
If the companies responsible for storing people's data safely weren't at risk of fines/legal action they probably wouldn't be half as bothered about protecting said data.
Someone already mentioned this in post #24
The last refund I had was probably around 2018 - "delay repay" I think - or the TFL equivalent.
You can quite easily still use TfL services with an unregistered Oyster card, an unregistered contactless card or if willing to pay more cash for paper tickets.
It's also a dated and rather insecure method compared to more modern methods like authenticator apps and passkeys.
I think it's common knowledge now that 30k staff have had their credentials revoked and are having to go to one of 6 "hubs" set up by TfL - indeed there is a new external website confirming all that and more.
You could FOI TfL and ask
It'd be somewhat pointless, surely, seeing as it's exclusively involving the request of personal data and I'm not convinced a request for the PII of someone who made what was, by the balance of probabilities, a mistake rather than something malicious would pass any public interest test. (I've not looked, there may also be other PII-specific parts of the FoIA that additionally would make it invalid)You could FOI TfL and ask
The
smiley was attached to indicate a joke or other non-serious statement was being made 
From a purely technical perspective I think that's probably harder than it sounds. The way the machines are loaded with fares is a manual on-site job that has to be arranged far in advance with Cubic (as we saw with the LU machines selling national rail fares at the old price for ages after the fares change, because the new fares weren't distributed in time for Cubic's snail schedule)
One would certainly hope and expect so.
.
From a traveller's point of view, I can see how it might not be - but dependent on the nature of the attack (TfL have revealed that basically every employee is having to go through ID checks to regain access to IT systems - that gives clues there's potentially been some quite extensive damage to internal systems, and also ties up technical resource who are rightly prioritising critical access to systems before looking at customer-facing platforms, and then they might then switch to working on other systems), it's potentially impossible to just switch these systems back on. The historical data those platforms need may simply no longer exist in the form that they did prior to the attack, or been corrupted (for example, a partially-successful ransomware attack).
So my question to you back is, other than a system pretty much equal to those that have been disrupted due to the cyber attack, what do you expect those mitigations might be? I do suspect TfL will have to offer a grace period for any refunds that are due, and a way of these being processed manually if the usual systems are unavailable, but again these take time to set up and we should cut them some slack here; it's exceedingly unlikely anyone will be out of pocket long term if for no other reason that the cost of dealing with refund requests from card providers if this were to be the case would be immense.
Strong disagree. That would cause chaos as TfL have significantly reduced the number of ticket machines to account for uptake of Oyster (and again for Contactless where visiting a machine isn't needed at all), they'd be better off running a free system for as long as needed than doing this if it was required.
lf anything it would be back to Oyster surely (for the majority of the network which isn’t CPC-only), given that online options are still avaliable for Pay As You Go on Oyster as well as staff at stations can still assist with resolution of many issues for PAYG.
