Passwords and log-in details for hundreds of LibertyBus customers were obtained by the hackers, who used a spoof website to divert those wanting to top up their pre-paid AvanchiCards.
The Office of the Information Commissioner is now investigating the breach, which was reported by the bus operator this week.
Kevin Hart, director of LibertyBus, said the rogue site had been shut down and the data breach reported within hours of being discovered on Wednesday.
‘We are working with the commissioner and the company which hosts our website on the investigation,’ he said. ‘This is something that we take very seriously. We’re very disappointed that this breach occurred and wish to apologise to those affected.’
A total of 361 people in Jersey were involved, just under 2% of the Island’s 20,000 AvanchiCard holders.
Another 82 customers of sister operation, CT Plus in Guernsey, were similarly affected, and everyone concerned has now been contacted by the two operators.
The breach only affected those who had sought to access the online top-up ‘shops’ via the two operators’ websites, and no bank details were obtained.
Mr Hart, who said that his own AvanchiCard was one of those involved, said it was a reminder of the importance of not using a single password for multiple websites.
‘Many of us don’t vary our passwords, and this means we’re more vulnerable,’ he said.
Paul Vane, deputy information commissioner, said LibertyBus was to be commended for a swift and proactive reaction to the incident.
‘Breaches are inevitable in the world that we live in; it’s about how you deal with them,’ he said.