- TfL reportedly admits scale of cyber attacks in 2024 was much greater than first thought
- About 10 million people may have had their personal information stolen
- Names, email addresses, home phone numbers, cell phone numbers and physical addresses are all stolen
Transport for London (TfL) has confirmed that around 10 million people had their data stolen in a cyber attack in 2024, new reports have claimed.
The BBC has reported the figures after allegedly seeing a copy of a database stolen by hacker group Scatted Spider, containing names, email addresses, home phone numbers, mobile phone numbers and physical addresses.
The August 2024 attack caused major disruption to TfL systems, with online services and information boards all affected, and an estimated £39 million in damage.
TfL cyber attack
TfL initially said only “some” customers were affected and told the BBC it was “keeping customers informed throughout this incident and will continue to take all necessary measures”.
It noted that a full investigation had been carried out but did not say exactly how many people had been affected – until now, admitting that 7,113,429 customers with an email address registered to their TfL account had been alerted.
However, these emails only had an open rate of 58% – meaning millions of people affected potentially did not read the statutory notice, and those who did not have an active email registered with TfL may still be unaware that criminals may have their data.
The BBC noted that the database had almost 15 million lines of data in total, but many of these appear to be duplicates.
TfL has been cleared by the Information Commissioner’s Office (ICO), the UK’s data watchdog, of any wrongdoing for the breach and its handling of the aftermath, but admitted at the time of the incident that only around 5,000 users were contacted because their Oyster card refund data may have been accessed, meaning bank account numbers and sort codes may have been affected.
TfL admitted in December 2024 that it had to spend around £30 million (about $38 million) to address the attack, including “external support” – third-party cyber security organizations helping to respond and mitigate the attack.
Two British teenagers accused of carrying out the hack are due to go on trial in June 2026.
“The most surprising part of the TfL breach is not that millions of people had their data stolen, it’s that the true extent only became clear long after the incident occurred,” noted Jake Moore, Global Cybersecurity Advisor at ESET.
“Ten million records are an incredibly valuable data set for criminals, and when put together with additional previously disclosed data, it becomes a treasure trove that will never be erased. Even if the data has not been actively misused yet, it is highly likely that it will be traded and re-used in fraud for years.”
“When millions of ordinary people rely on a service like this every day, the impact goes far beyond the organization itself, which is why immediate transparency around the scale of a cyber-attack is so important. Anyone who had payment details linked to a TfL account should therefore continue to keep a close eye on their account statements and be wary of any unexpected messages.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
