Transport for London’s 2024 data breach impacted approximately 10 million people, yet its initial public disclosure severely misrepresented the scale, with millions left uninformed due to poor email notification practices. This event underscores a critical failure in UK cyber incident transparency and exposes millions to heightened fraud risk.
The full, staggering scale of the Transport for London (TfL) cyber-attack in late August 2024 has been revealed: approximately 10 million individuals had their personal data stolen by the Scattered Spider crime group, making it one of the largest data breaches in British history. This figure, established by BBC News after verifying a copy of the stolen database, directly contradicts TfL’s initial, vague public statements that only “some” customers were impacted.
The hackers breached TfL’s internal systems, causing £39 million in damages and disrupting online services. They exfiltrated a database containing names, email addresses, home and mobile phone numbers, and physical addresses. The file, viewed by the BBC, contained nearly 15 million lines of data, with duplicates accounting for the variance between the file size and the estimated 10 million unique individuals affected.
The Notification Failure: Why Millions Remained in the Dark
TfL’s post-breach communication strategy was fundamentally flawed. While the organization claimed to have “kept customers informed,” it only sent email notifications to the 7,113,429 accounts with a registered email address. Crucially, these emails achieved only a 58% open rate. This means millions of people whose data was stolen either did not see the statutory notification or, like the BBC journalist who reported the story, did not have an active email on file and received no direct warning at all.
This gap between the total affected population and those effectively notified represents a massive failure in user alert protocols. For users without a linked email or those who ignore official-looking emails (a common scam tactic), their stolen data—a perfect dataset for phishing and fraud—entered the criminal ecosystem with virtually no warning.
Transparency Gap: How the UK Lags Behind Global Standards
The TfL case highlights a permissive UK regulatory environment where companies are not legally required to publicly disclose the precise number of individuals affected by a data breach. Experts argue this opacity hinders the fight against cybercrime.
Contrast TfL’s handling with other major international breaches:
- Odido (Netherlands): Transparently disclosed a ransomware extortion attack impacted six million customers.
- Asahi (Japan): Precisely explained what data was stolen from two million people during a ransomware attack.
- Coupang (South Korea): Publicly stated 33 million customers were affected and offered compensation vouchers.
“After a breach it’s essential that individuals are informed exactly what has happened to their data and what the potential risk might be to their privacy,” says data protection consultant Carl Gottleib. He adds that knowing the scale is critical because “large datasets can be more valuable to attackers and more likely to be used in future fraud attempts.” Security researcher Kevin Beaumont called disclosing breach scale “the most basic requirement for transparency,” suggesting UK law should be reformed to mandate it.
The Regulatory Green Light and Lingering Risks
Despite the scale and notification failures, the UK’s Information Commissioner’s Office (ICO) cleared TfL of any wrongdoing in February 2025. The regulator stated it “carefully examined the full circumstances” and concluded “formal regulatory action was not proportionate.” The ICO confirmed it was aware of the full 10 million-figure impact but has not required TfL to take further action, stating the company must update them if new risk information emerges.
This decision places the onus squarely on individuals. While TfL identified about 5,000 customers at “heightened risk” because their Oyster card refund data (potentially including bank details) may have been accessed and offered them support, the vast majority of the 10 million are left to manage their own risk mitigation. The stolen data is already circulating in hacking communities, though the source who shared it with the BBC was not aware of it being used for specific attacks yet.
For the 10 million affected, the immediate risk is a dramatic increase in sophisticated, personalized phishing attacks and fraud. Scammers can use the combination of names, addresses, and phone numbers to craft believable narratives, bypassing many standard security filters.
The trial of two British teenagers accused of carrying out the hack for Scattered Spider is set to begin in June, offering a potential but limited accountability mechanism for the perpetrators.
The TfL breach is a textbook case study in how not to handle a cyber incident: a massive, delayed truth disclosure paired with a notification strategy that guaranteed a significant portion of victims would remain unaware. Until UK law mandates transparent, comprehensive, and effective breach notification, users must assume their data could be exposed in any major service compromise and act accordingly.
For the fastest, most authoritative breakdown of critical cybersecurity failures and what they mean for your digital life, onlytrustedinfo.com delivers the actionable analysis you need, directly and without the typical media hand-waving. Read more of our definitive reports on the security threats shaping your world.
