- TfL reportedly admits scale of 2024 cyberattack was much greater than first thought
- Around 10 million people may have had personal information stolen
- Names, email addresses, home phone numbers, mobile phone numbers and physical addresses all stolen
Transport for London (TfL) has confirmed around 10 million people had their data stolen in a 2024 cyberattack, new reports have claimed.
The BBC has reported the figures after reportedly seeing a copy of a database stolen by hacking group Scatted Spider, containing names, email addresses, home phone numbers, mobile phone numbers and physical addresses.
The attack in August 2024 caused major disruption to TfL systems, with online services and information boards all affected, and an estimated £39m in damages.
TfL cyberattack
TfL initially said that only "some" customers were affected, and told the BBC it "kept customers informed throughout this incident and will continue to take all necessary action".
It noted a full investigation had been carried out, but didn't precisely say how many people had been affected - until now, admitting that 7,113,429 customers with an email address registered to their TfL account had been alerted.
However these emails only had a 58% open rate - meaning potentially millions of affected people have not read the statutory notification, and those who did not have an active email registered with TfL may still be unaware criminals may have their data.
The BBC noted the database had nearly 15 million lines of data in total, but many of these look to be duplicates.
TfL has been cleared by the Information Commissioner's Office (ICO), the UK's data watchdog, of any wrongdoing for the breach and its handling of the aftermath, but admitted at the time of the incident, only around 5,000 users were contacted, due to their Oyster card refund data possibly being accessed, meaning bank account numbers and sort codes might have been affected.
TfL admitted in December 2024 it had to spend around £30 million (roughly $38 million) on addressing the attack, including “external support” - third-party cybersecurity organizations that help respond and remedy the attack.
Two British teenagers accused of carrying out the hack are set to go on trial in June 2026.
“The most surprising part of the TfL breach isn’t that millions of people had their data stolen, it’s that the true scale of it only really becomes clear long after the incident occurs," noted Jake Moore, Global Cybersecurity Advisor at ESET.
"Ten million records is an incredibly valuable dataset for criminals and when joined up to further previously exposed data, it becomes a treasure trove that is never deleted. Even if the data hasn’t being actively abused yet, it’s highly likely that it will be traded and reused in scams for years."
"When millions of ordinary people rely on a service like this every day, the impact goes far beyond the organisation itself which is why immediate transparency around the scale of a cyberattack is so important. Anyone who had payment details linked to a TfL account should therefore continue to keep a close eye on their bank statements and remain cautious of any unexpected messages.”
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.