In one of the largest data breaches in British history, approximately 10 million individuals had their personal information compromised following a cyber-attack on Transport for London (TfL) in 2024. The incident, attributed to the Scattered Spider crime group, caused disruptions to TfL's online services and inflicted damages amounting to £39 million.
The breach occurred between late August and early September 2024, although it did not directly affect transport services in London. TfL initially reported that "some" customers were impacted but has since revealed the extensive scale of the theft. The compromised database included names, email addresses, and phone numbers, which were verified by the BBC after a tip-off from an anonymous source in the hacking community.
TfL has communicated that it sent notifications via email to over 7 million customers, achieving a 58% open rate. However, many affected individuals either did not read the notifications or lacked an active email address, potentially leaving them unaware of the data theft. While the risk to victims is currently deemed low, the incident raises concerns about future targeting for scams and fraud.
The trial for two British teenagers implicated in the hack is scheduled to commence in June.