TfL hack in 2024 affected around 10 million people, BBC can reveal

Around 10 million people had their data stolen when Transport for London (TfL) was hacked in 2024, the BBC has discovered, making it one of the biggest hacks in British history.

At the time the company only disclosed that "some" customers had been affected, but has now confirmed that millions of people had their personal data taken.

The cyber-attack, by hackers from the so-called Scattered Spider crime group, breached TfL's internal computer systems, disrupting its online services and causing £39m in damages.

The hackers downloaded a database containing customer information - and by seeing a copy of the file BBC News has established the scale of the hack.

TfL insisted to the BBC it has "kept customers informed throughout this incident and will continue to take all necessary action".

The attack, which took place between late August and early September 2024, did not directly impact London transport but saw many TfL online services and information boards go offline.

The trial of two British teenagers accused of carrying out the hack is set to begin in June.

The BBC was contacted by someone in the hacking community who obtained a copy of the full TfL database.

It contains names, email addresses, home phone numbers, mobile phone numbers and physical addresses of an estimated 10 million people.

The person, who did not reveal their identity, shared the database with the BBC so it could verify the data.

The data, deleted by the BBC after viewing, contains millions of lines of names and personal details - including my own.

In total it has nearly 15 million 'lines' of data, but some of these are thought to be duplicates.

TfL has said it carried out a thorough investigation into the hack, but refused to give a precise figure for how many people were affected.

Now, the organisation has admitted it sent emails to 7,113,429 customers with an email address registered to their TfL account to notify them of the incident.

But it said the emails had a 58% open rate - suggesting millions of people impacted did not read the statutory notification or that those who, like myself, did not have an active email registered were not warned that criminals had their data.

The risk to individuals remains low but being a victim of a data breach increases the likelihood of being targeted in scams and fraud attacks.

Stolen databases are often traded or shared in hacker communities and forums.

The person who shared the database with the BBC says they are not aware of the data being used to carry out any secondary attacks yet.

TfL said at the time of the incident it had identified about 5,000 customers at heightened risk because their Oyster card refund data may also have been accessed, which could include bank account numbers and sort codes.

The company said "as a precautionary measure" it wrote to these people on email and by post offering support.

"In addition, we publicised that information on customer names and contact details may have been taken - including email addresses and home addresses, where provided," a TfL spokesperson added.

Some hacked companies do tell the public the full extent of data breaches, especially in other countries:

• In the Netherlands, telecoms firm Odido has been transparent in its response to an ongoing data extortion attack, saying six million customers are impacted

• In Japan, beer maker Asahi has explained exactly what data was stolen from around two million people during a ransomware attack

• In South Korea, e-commerce giant Coupang told the public 33 million customers had been affected and even offered vouchers as compensation.

But companies falling victim to cyber-attacks in the UK are not legally required to publicly disclose the total number affected by breaches.

Last year the Co-op admitted - when asked during a live TV interview on the BBC - that 6.5 million people were affected by its breach last spring.

Neither Marks and Spencer nor Harrods have put a number on breaches occurring around the same time.

Data protection and cyber security experts say not revealing this information does little to help the fight against cyber-crime.

"After a breach it's essential that individuals are informed exactly what has happened to their data and what the potential risk might be to their privacy," says data protection consultant Carl Gottleib.

He adds knowing the scale of the breach is important "as large datasets can be more valuable to attackers and more likely to be used in future fraud attempts".

Security researcher Kevin Beaumont said informing the public of the scale of a breach was "the most basic requirement for transparency", adding UK regulation or the law should change to help victims of data theft.

TfL was cleared by the UK's data watchdog, the Information Commissioner's Office (ICO), of any wrongdoing for the breach and its handling of the aftermath.

The regulator has since told the BBC it was informed of the full extent of the TfL breach but ruled in February 2025 no further action was needed.

The data protection watchdog said it "carefully examined the full circumstances of the incident," including the actions taken by TfL to notify victims.

"Based on this, we concluded that formal regulatory action was not proportionate in this case. If TfL becomes aware of new information that changes the risk assessment or indicates harm to individuals, they are required to update us," an ICO spokesperson said.