For years I’ve been baffled and frustrated by the fact that their authentication mechanism prohibits the use of special characters in passwords, never mind any sight of MFA. Considering TFL’s weak password policy (e.g. 6 characters minimum), I wouldn’t imagine that credential stuffing is particularly hard.
With all of that sensitive travel history, along with personal data, at what point does this constitute a failure in their duty of care and become a GDPR breach due to inadequate controls?
Weak password policy.
No option for MFA.
Probably complete lack of bot mitigation or account takeover protection.
No risk based authentication (hey, you’ve logged in from Eastern Europe...). You know that the first sign of a problem was probably reported from customers rather than detected in their SOC.
Given that they probably have the personal details and travel history of more than the working population of London, their protection of this personal data is completely inadequate.