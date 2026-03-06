Share



Around 10 million people had their personal data stolen during the 2024 cyber-attack on Transport for London (TfL), according to an investigation by the BBC.

The figure makes the breach one of the largest in British history, far exceeding the initial reports from the transport body which simply stated that “some” customers were affected.

The hack, carried out between late August and early September 2024 by the Scattered Spider crime group, breached internal computer systems and caused an estimated £39 million in damages.

While the attack did not stop physical transport services, it forced information boards and online payment systems offline for weeks.

The true scale of the data theft was established after the BBC viewed a database obtained by the hacking community containing nearly 15 million lines of information. This data includes the names, email addresses, home phone numbers and physical addresses of millions of passengers.

Although TfL told the BBC it has kept customers informed and continues to take necessary action, the organization admitted it only sent notification emails to approximately 7.1 million customers. Of those contacted, only 58% opened the email, suggesting millions of victims remain unaware that their details were compromised.

The breach has triggered criticism regarding the lack of transparency in UK cyber-security reporting. Unlike companies in the Netherlands, Japan, and South Korea – which have publicly disclosed the exact number of victims in recent high-profile hacks – UK firms are not legally required to reveal the total volume of people impacted by a data theft.

Security experts and data protection consultants argue that this lack of transparency hinders the fight against cybercrime, as large datasets are highly valuable to criminals for secondary fraud and phishing attacks.

Despite the scale of the incident, the Information Commissioner’s Office (ICO) cleared TfL of any wrongdoing in February 2025. The regulator stated that it had examined the circumstances and decided that formal regulatory action was not proportionate.

The criminal investigation remains ongoing, with the trial of two British teenagers accused of carrying out the hack scheduled to begin this June. While the immediate risk to most individuals is considered low, experts warn that the stolen data is likely being traded on hacker forums for future scams.

