How to Hack an Oyster Card

There are many reasons to want to know where somebody has been on the Tube

  • Do you want to find out where your girlfriend/boyfriend has been on the tube?
  • Are you concerned that your boss is traveling around London, looking to replace you?
  • Are you just a regular stalker/paparazzi who wants to follow somebody around?
  • Are you a private investigator who wants to know where your perp has gone on the tube?

Whatever the reason the following guide, of just five simple steps, will show you how to access the travel details of a person’s recent underground journeys:

  1. Obtain the relevant Oyster Card
  2. Take the card to the nearest London Underground Station
  3. Walk up to a counter, hand the card over and state “Excuse me mate, but I am not sure my balance is right on this, I think I didn’t swipe out recently, can you check it for me
  4. The TFL staff will then print out a list of the last couple of weeks journeys and hand them to you
  5. Leave the station with the card, the paper, nefarious mind set and a  maniacal laugh

Joking aside, this actually works.

Which is slightly concerning because people can so easily access other peoples travel details. While this may not bother many people, as they will simply say that there journey to work and home again, is their standard commuter route, and so of no interest. Others may think differently.

Firstly, private investigations firms do still use illicit methods to obtain data, the recent telephone bugging scandals involving journalists, is nothing new, its that is only just come to light. A few years ago, several well known companies were involved in a case that showed that information was obtain illegally, via data theft.

High networth individuals, especially if they are going through a divorce or possibly a major deal, can attract the attention of investigation firms. There have been occasions when these individuals have had the routes monitored, their phones and computers hacked into, and other such activity.

People who are involved in protests , for anything from animal rights activists to the anti-war lobby, are likely to be monitored and tracked where possible, and this is not all done via the state.  Large corporate who are likely to be disrupted, or targeted, by protests,  sometimes employ private firms to provide their own intelligence briefings, and these firms will go to great lengths to obtain this information for their client.

Interestingly the TFL (Transport For London) who operate the London Underground, have an exemption from the data protection act, which allows MI5 and the police to get near live data from the system, so track people moving around London.


Data Misuse: Police (PCSO)

On Thursday 14th May 2008 PCSO, Police Community Support Office Glen Baker, aged 47, was convicted of accessing the Police National Computer for his own purposes.

Glenn Baker is pictured on the left of this photograph:

PCSO Glenn Baker, Pictured on the Left

PCSO Glenn Baker, Pictured on the Left

This is another in a series of data misuses by the police, though the frequency of reported incidents tends to imply that people are getting caught more rather than committing the offense more.  Which is worse, its happening a lot now, or for years we had no idea it was happening a lot?

Data Misuse: Examples of Police Data Misuse

Below are examples of the police misusing data. While the list is, thankfully, small, two things must be remembered:

Firstly the list only contains examples of police misusing data AND getting caught AND being arrested/convicted AND it being reported AND it being based in the UK AND being listed on this site  – this is a is a very limiting Boolean statement.

Secondly, the intent is not to show that the police are 100% corrupt, or imply that they are all taking backhanders, the list merely shows that these incidents occur and that data is not 100% safe with any organization. People are faliable and make errors, both in data handling and in judgment.

Examples of Police Data Misuse in the UK

Data Misuse: Police Chief Constable Arrested

In January 2009 the ex-Assistant Chief Constable of West Yorkshire police, Andy Brown was arrested for breach of the data protection act.

In an odd story involving ex-police officers, serving police officers, and a missing dog, it appears that Andy Brown gained access to the PNC  (police national computer) to check the registered owner of a vehicle, in an attempt to locate a friends dog.

This latest case of data misuse does not appear to be  particularly sinister, just a case of of an “ex-job” guy helping out a friend, rather than going throught the police channels, which would have resulted in the same information being obtained. What is it does remind us of is how easy it is for people to get information out of PNC. In fact if there had not been a complaint in this case, nobody would have known.

How often does this happen, and nobody gets caught?

Data Theft: Paris Hilton

Paris Hilton is not having a good time of it in terms of data, in fact every time she creates a data record is seems to be lost, stolen, or misplaced. Most recently her website has been hacked into

Firstly, 2003,  Paris Hilton became (in)famous due to the home movies that were lost/found/misused and then widely distributed. The movie was titled  “One Night in Paris, and distributed through a professional adult movie company.

Now, just over a month later, January 2009, and her website,, has been hacked into. It is reported that for a period of time the site was hacked so that it would distribute malware, via the visitors in advertently downloading a trojan when first accessing the website.

The malware would then allow the creators to monitor the users computers, record keystrokes, etc, and thereore allow access to the users bank accounts.

Data Misuse: Call Centre

In another example of data misuse, this time by an Indian call center worker, a woman was sent several “amorous” texts, by a call handler from India as he liked the “sound of her voice”.

In this latest incident a UK woman called BT to arrange the installation of a phone, which resulted in her being put through to the ubiquitous Indian call center. One of the operators there took a fancy to the woman, based on her voice, and as a result started to send her amorous text messages.

In the scheme of data misuse, this is relatively minor, especially compared to CCTV workers in the UK looking into peoples houses, or Indian call center staff stealing thousands of pounds, or hundreds of thousands of pounds.

Data Misuse: Police (2004)

In 2004  police worker, Leanne Thomas, from Gwent looked up the police records of her “friends”, on the Police National Computer (PNC), because she was “bored”.

Leanne Thomas was later convicted of breached the data protection act and suspended from her job.

It is incredibly easy for people with accesses database to misuse data and there are numerous examples of data misuse in the UK, and and the police have misused data on several occasions.

It should be remebered that these are only the cases that people get caught, which is a fraction of the amount of real crime.