Transport for London has confirmed that a cyber-attack carried out in late summer 2024 exposed personal data belonging to roughly 10 million individuals, one of the largest data breaches involving a UK public body in recent years.

Reporting by BBC found that a database obtained from a member of a hacking community contained nearly 15 million rows of information, including names, email addresses, home and mobile phone numbers and physical addresses. Some entries are believed to be duplicates, but the broadcaster said the dataset appears to represent around 10 million people whose information was taken.

The breach occurred between late August and early September 2024 when the cyber-crime group Scattered Spider infiltrated TfL’s internal systems and downloaded customer data. The attack disrupted several online services and caused information boards across parts of the network to go offline, with TfL estimating the incident caused about £39 million in damages.

TfL told the BBC it had notified 7,113,429 customers whose accounts had registered email addresses, but the organisation said only 58 per cent opened the notification. The figure suggests millions of people whose data was compromised may not have seen the warning, or did not have an email address linked to their account.

The transport authority said a small group of customers faced greater potential risk because additional financial information may have been accessed. TfL previously identified about 5,000 individuals whose Oyster card refund data, including bank account numbers and sort codes, may have been exposed and contacted them directly by email and post.

A TfL spokesperson said the organisation had investigated the incident and informed customers about the types of information that may have been taken. “We publicised that information on customer names and contact details may have been taken – including email addresses and home addresses, where provided,” the spokesperson said.

Security specialists say understanding the scale of breaches is important for those affected. Andy Ward, SVP International, Absolute Security, commented: “This TfL breach highlights the critical importance of identifying and remediating cyber incidents immediately, every hour of delay multiplies the potential damage. These threats are not a matter of if, but when, and they can impact both the safety and privacy of customers, as well as operational downtime for the organisations itself.”

The UK’s data regulator, the Information Commissioner's Office, has cleared TfL of wrongdoing in relation to both the breach and the organisation’s response.

---