Indra’s £1.96 bn TfL ticketing contract raises GDPR alarms as Oyster moves to account‑based model

Transport for London’s new seven‑year ticketing deal with Spanish tech group Indra, valued at up to £1.96 billion, will shift Oyster and contact‑less payments to an account‑based back‑office. The change gives Indra access to millions of travel records, prompting privacy watchdogs to warn of GDPR compliance challenges and potential penalties after the 2024 breach that exposed data of up to seven million riders.

What happened

Transport for London (TfL) has published the full details of its Revenue Collection Services contract, awarded to Spanish defence‑and‑technology conglomerate Indra Sistemas. The agreement, signed in January 2026, covers the operation, maintenance and development of all ticketing services across London – paper tickets, Oyster smartcards, contact‑less bank cards and smartphone payments. The contract runs for seven years, with options to extend for up to five more, and the maximum possible value is £1.964 billion (excluding VAT), far higher than the £587 million figure initially announced.

A key technical shift is the migration from the current card‑centric system to an account‑based ticketing model. Under the new model, balances and travel histories will be stored in a central back‑office rather than on the card itself, enabling virtual Oyster cards on phones and allowing users to link multiple payment devices to a single account.

The contract gives Indra access to one of the world’s largest urban‑mobility datasets. TfL holds personal identifiers, travel histories, payment details and location data for over 7 million customers – data that was partially exposed in the September 2024 cyber‑attack.

Under the EU General Data Protection Regulation (GDPR), which remains incorporated into UK law through the UK GDPR, any processor that handles personal data must:

Maintain a lawful basis for processing – typically the performance of a contract or legitimate interests, but the latter must be balanced against data‑subject rights.
Implement appropriate technical and organisational measures (Article 32) to ensure a level of security appropriate to the risk.
Provide transparent information to data subjects about who processes their data and for what purpose (Articles 13‑14).
Allow data subjects to exercise their rights – access, rectification, erasure, restriction, portability and objection.
Notify the supervisory authority and affected individuals of a breach within 72 hours (Article 33).

In the UK, the Information Commissioner’s Office (ICO) enforces these rules. Non‑compliance can attract fines of up to €20 million or 4 % of global annual turnover, whichever is higher. For a contract of this size, a breach could translate into penalties exceeding £80 million.

Impact on users and companies

Users

Privacy risk: Centralising travel data creates a single point of failure. If the back‑office is compromised, attackers could obtain a detailed picture of an individual’s daily movements, payment habits and even social connections.
Rights‑management: Account‑based systems must give users clear tools to view, correct or delete their travel records. Without such tools, users could lose control over data that the ICO deems “personal data” under the GDPR.
Price‑cap fairness: The new identifier system promises to apply daily/weekly caps across devices, but only if the system correctly links all accounts. Mis‑linking could lead to over‑charging or loss of caps, raising consumer‑protection concerns.

Companies (Indra and TfL)

Compliance burden: Indra will be classified as a data processor for TfL’s data. The contract must contain a Data Processing Addendum (DPA) that spells out responsibilities, audit rights and breach‑notification procedures.
Security obligations: Article 32 requires “state‑of‑the‑art” encryption, regular penetration testing, and a documented incident‑response plan. Given the 2024 breach, the ICO is likely to scrutinise the new security architecture closely.
Financial exposure: In addition to potential ICO fines, any breach that harms consumers could trigger class‑action lawsuits under the UK Consumer Rights Act and the Data Protection Act 2018, further increasing the financial stakes.

What changes are required

Comprehensive DPA – The contract must detail the exact categories of data processed, retention periods, sub‑processor approvals and the right of TfL to audit Indra’s systems.
Privacy‑by‑Design – The account‑based platform should embed privacy safeguards from the start: pseudonymisation of travel records, minimisation of stored data, and strict access controls.
Breach‑response protocol – Both parties need a joint incident‑response team, with clear timelines for notifying the ICO and affected passengers. The 2024 breach showed that delays can erode public trust.
User‑control portal – TfL should launch a self‑service portal where riders can view their travel history, request deletions, and manage linked devices. This aligns with GDPR’s right of access and data‑portability provisions.
Regular independent audits – The ICO often recommends third‑party security assessments for high‑risk public‑sector systems. Annual audits would help demonstrate compliance and may mitigate the severity of any future penalties.
Staff training – Both TfL and Indra staff handling personal data must undergo GDPR awareness training, with records kept for audit purposes.

Looking ahead

Indra’s contract marks a technological leap for London’s transport network, but it also places a massive trove of personal data under the stewardship of a foreign defence contractor. The ICO has already signalled that it will monitor the rollout closely, and any misstep could result in fines that dwarf the original contract value.

For passengers, the promise of seamless phone‑based ticketing is attractive, but it will only be a genuine improvement if the back‑office respects the same privacy standards that the old Oyster cards unintentionally provided by keeping data on the card itself.

Image: