Exploit: Credential stuffing attack
Oyster: Travel smartcard system for UK public transportation
Risk to Small Business: 2.111 = Severe Risk: Hackers accessed more than 1,000 Oyster user accounts by applying login credentials from other platforms to their Oyster login. This technique, known as a credential stuffing attack, uses stolen data from other websites and compounds the damage by applying that data logins across the internet. To prevent further access, the smartcard system was taken offline for two days, creating delays to the public transit system while damaging their reputation as users took to social media to voice their frustrations about the delays. Individual Risk: 2.428 = Severe Risk: Oyster is notifying customers who had their accounts compromised, and those users should assume that all available information was compromised in the breach. Moreover, because their accounts were accessed using credential stuffing, users should ensure that they use strong, unique passwords across all accounts..
Customers Impacted: 1,200
How it Could Affect Your Customers’ Business: With credential stuffing attacks can be difficult to defend because they rely on users choosing strong, unique passwords across all of their accounts. However, businesses can get ahead of the threat by adopting the monitoring services necessary to know if their customers’ credentials might be compromised.
Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
https://www.theregister.co.uk/2019/08/08/tfl_oyster_card_outage_online_topup/
