Transport for London (TfL) suffered one of the biggest data breaches in British history when hackers stole the personal details of an estimated 10 million people in 2024, the BBC has confirmed after analysing a leaked copy of the compromised database.
At the time, TfL publicly stated only that “some” customers had been affected. But the organisation has now acknowledged that it emailed more than 7.1 million registered users about the incident - though only 58% opened the notification - suggesting millions of affected individuals may still be unaware their data was stolen.
The attack, carried out by the Scattered Spider cyber crime group between late August and early September 2024, penetrated TfL’s internal systems, disrupted online services and information boards, and caused £39m in damages. According to the BBC, the stolen file contained “names, email addresses, home phone numbers, mobile phone numbers and physical addresses of an estimated 10 million people.”
The BBC obtained the full database from a source within the hacking community and verified its authenticity before deleting it. The file contained nearly 15 million lines of data, though some entries were duplicates. The broadcaster confirmed that its own reporter’s details were included.
TfL has not provided a precise figure for the number of affected individuals, but the leaked dataset indicates the breach was far larger than previously understood. The organisation maintains that it has “kept customers informed throughout this incident and will continue to take all necessary action.”
The risk to individuals is considered low, but experts warn that stolen datasets of this size are often traded online and can fuel phishing, fraud and identity theft attempts for years.
TfL identified around 5,000 customers at particular risk because their Oyster refund information, potentially including bank account numbers and sort codes, may have been accessed. These individuals were contacted directly by email and post.
However, millions of others may not have received or opened the statutory notification. Those without an active email address registered to their TfL account were not contacted individually.
Cyber security specialists argue that the UK’s lack of mandatory public disclosure requirements leaves victims under informed. In contrast, companies in the Netherlands, Japan and South Korea have publicly confirmed the full scale of recent breaches affecting millions of customers.
Data protection consultant Carl Gottlieb said that after a breach, organisations must clearly explain what happened and what risks individuals face. Knowing the scale matters, he added, because “large datasets can be more valuable to attackers and more likely to be used in future fraud attempts.”
Security researcher Kevin Beaumont described public disclosure of breach size as “the most basic requirement for transparency” and said UK law should be strengthened to support victims.
ICO clears TfL of wrongdoing
The Information Commissioner’s Office (ICO) has confirmed it was informed of the full extent of the breach and concluded in February 2025 that no regulatory action was proportionate. The watchdog said it had “carefully examined the full circumstances of the incident,” including TfL’s notification steps.
The ICO added that TfL must update the regulator if new information emerges that changes the risk assessment or indicates harm to individuals.
The trial of two British teenagers accused of involvement in the hack is scheduled for June.
In February, the Greater London Authority's Oversight Committee's review of the reasons for and consequences of the attack concluded that the GLA must adopt a more systematic, better resourced and more transparent approach to cyber security if it is to withstand the rapidly evolving threat landscape.
It set out eleven recommendations, including:
• developing a benchmarking approach for cyber security investment
• regular reporting on legacy systems and supply chain risks
• ensuring all supply chain organisations achieve Cyber Essentials Plus
• assessing the effectiveness of staff training and monitoring completion rates
• conducting regular cyber security exercises and improving incident reporting
