As I parked my car at home after work on Friday, 9 May, an email popped up about a data breach of my MyWay+ account.
At first, I was like ‘Oh s***’, then my mind turned to ‘Is this a scam’?
After a few calls to the MyWay+ customer service team, I received confirmation the email was, in fact, legitimate.
The email came from Transport Canberra and City Services acting director-general Ben McHugh.
The letter was directed to me and said: “we are writing to you today to notify you that your personal data was exposed in a breach of the MyWay+ system which impacted 277 others”.
“Our investigations have shown that the data released was limited and that the person who inadvertently received it has deleted it.
“The vulnerability that allowed for this exposure was immediately addressed and we have no evidence of any further exposure.”
Mr McHugh further stated the data exposed was “extremely minimal as not all personal information in the MyWay+ system is mandatory”.
“First name and an anonymised credit or debit card detail were the only items exposed,” he said.
“Passwords or other usable financial information (e.g. expiry or CCV number) was not exposed at all.
“Importantly, there is no action required by you.
“Transport Canberra apologies for this occurrence.
“We are working with our suppliers to make MyWay+ more secure every day.”
The breach was confirmed to me in a phone call with customer service on Monday 13 May.
They said only my first name and the last four digits of my bank card were exposed and that it was highly unlikely the person would be able to guess the rest of the card number and CCV.
However, because I explained a strange (attempted) charge in the US had come up on my card since, the matter was escalated. It is unclear whether the data breach and strange “transaction” were linked or not.
It comes as an official inquiry into the procurement and delivery of MyWay+ is underway in the Legislative Assembly.
Canberra Liberals leader Leanne Castley was the instigator for the inquiry, which includes public hearings.
As previously reported by CD on 28 November 2024, the Canberra Liberals called for an inquiry into the $70 million MyWay+ system following a rollout plagued by glitches and widespread user frustrations.
The MyWay+ system launched the day before, with users reporting several glitches, including QR codes not scanning, credit cards failing to scan when tapping off, app issues and ticket validators not working. I have personally experienced some of these issues since the rollout.
At the time, Mr McHugh said the problems were being addressed.
MyWay+ launched after a six-week trial period, replacing MyWay, which closed in September 2024 to align with the scheduled shut-off of Optus’ 3G network.
On 3 December 2024, CD reported that the ACT Government moved to ease these concerns, emphasising that any data sharing was necessary for app functionality and would be managed securely.
On 10 April 2025, The Canberra Times reported that more than 350 people had had some of their data inappropriately accessed from the public transport ticketing system across two “minor” data breaches.
Transport Minister Chris Steel said he had been advised on 9 May of the two data breaches involving the MyWay+ system, including one that had involved a responsible disclosure of a system vulnerability to cybersecurity authorities.
Were you one of the 277 others targeted in the breach? If you’d like to have a chat about it, send an email to [email protected]
Canberra Daily would love to hear from you about a story idea in Canberra and the surrounding region. Click here to submit a news tip.
Feeling social? Follow Canberra Daily: Facebook | Instagram | X (Twitter) | Tik Tok | YouTube
