2024 TfL hack affected around 10 million people, BBC can reveal

Around 10 million individuals had their personal data compromised in a significant cyber-attack on Transport for London (TfL) in 2024, a revelation that positions the incident among the most extensive data breaches in British history. This disclosure significantly expands upon TfL’s initial statement at the time, which only indicated that "some" customers were impacted. The breach, attributed to the notorious Scattered Spider cybercrime group, infiltrated TfL’s internal computer networks, leading to the disruption of its online services and incurring an estimated £39 million in damages. The attackers successfully exfiltrated a database containing sensitive customer information, the full scope of which has now been uncovered by BBC News through access to a copy of the compromised file. TfL, in its response to the BBC, maintained that it has "kept customers informed throughout this incident and will continue to take all necessary action." The cyber-attack, which unfolded between late August and early September 2024, did not directly impede London’s transportation operations but resulted in the temporary unavailability of numerous TfL online services and public information displays.

The revelation of the hack’s true scale came after the BBC was approached by an individual within the hacking community who possessed a complete copy of the TfL database. This database reportedly contains the names, email addresses, home phone numbers, mobile phone numbers, and physical addresses of an estimated 10 million individuals. The source, who chose to remain anonymous, provided the database to the BBC for verification purposes. The BBC has since deleted the data after confirming its authenticity, noting that it contained millions of entries detailing personal information, including the reporter’s own details. In total, the database comprises nearly 15 million "lines" of data, although it is understood that some entries may be duplicates. TfL has acknowledged conducting a thorough investigation into the breach but has been reluctant to provide an exact figure for the number of individuals affected. However, the organization has since admitted to sending emails to 7,113,429 customers who had an email address registered with their TfL account to inform them of the incident. The effectiveness of these notifications is questionable, given that the emails had a reported 58% open rate, suggesting that millions of affected individuals may not have read the official notification, or that those without active email registrations were not alerted to the fact that their data had been compromised. While the immediate risk to individuals is considered low, experiencing a data breach can increase the susceptibility to scams and fraudulent activities, as stolen databases are frequently traded and shared within hacker communities and online forums. The individual who shared the database with the BBC stated they were unaware of the data being used for any secondary attacks at this time.

At the time of the incident, TfL had identified approximately 5,000 customers at heightened risk due to the potential access of their Oyster card refund data, which could have included bank account numbers and sort codes. As a precautionary measure, TfL stated it had contacted these individuals via email and post, offering support. "In addition, we publicised that information on customer names and contact details may have been taken – including email addresses and home addresses, where provided," a TfL spokesperson elaborated. While some hacked companies do disclose the full extent of data breaches, particularly in other jurisdictions, companies in the UK are not legally obligated to publicly announce the total number of individuals affected by a breach. Last year, the Co-op, in a live BBC television interview, admitted that 6.5 million people were affected by a breach that occurred in the spring. Data protection and cybersecurity experts argue that withholding this information hinders the collective effort to combat cyber-crime. Carl Gotleib, a data protection consultant, emphasizes the critical need for individuals to be fully informed about what has happened to their data and the potential risks to their privacy following a breach. He further stresses the importance of understanding the scale of a breach, as larger datasets can be more valuable to attackers and more likely to be exploited in future fraud attempts. Security researcher Kevin Beaumont echoed these sentiments, describing the disclosure of breach scale as a "most basic requirement for transparency" and advocating for changes in UK regulations or laws to better protect victims of data theft.

TfL was cleared by the UK’s data watchdog, the Information Commissioner’s Office (ICO), of any wrongdoing in relation to the breach and its subsequent handling of the aftermath. The ICO informed the BBC in February 2025 that it had been made aware of the full extent of the TfL breach but concluded that no further action was necessary. A spokesperson for the data protection watchdog stated that they had "carefully examined the full circumstances of the incident," including TfL’s victim notification procedures. The ICO’s conclusion was that "formal regulatory action was not proportionate in this case." The regulator also noted that TfL is obligated to inform them if it becomes aware of any new information that alters the risk assessment or indicates harm to individuals. The scale of this breach, affecting an estimated 10 million individuals, raises significant concerns about data security practices and transparency in reporting cyber incidents within the UK. The financial and reputational impact on TfL, coupled with the potential for increased fraudulent activity targeting millions of affected individuals, underscores the critical need for robust cybersecurity measures and clear communication protocols in the event of future data breaches. The involvement of the Scattered Spider group, known for its sophisticated and often disruptive cyber-attacks, further highlights the evolving threat landscape faced by public transportation networks and other critical infrastructure. The incident serves as a stark reminder of the pervasive risks associated with digital data and the ongoing challenges in protecting sensitive personal information from malicious actors.