Transport For London 2024 Hack: Around 10 Million Had Their Data Stolen, Says Report

(MENAFN- Live Mint) Approximately 10 million people had their personal data compromised in a cyberattack on Transport for London (TfL) in 2024, making it one of the largest data breaches in the UK, according to the BBC report on Friday, adding that it arrived at the figure after examining data from an anonymous source who had obtained a copy of the full TfL database.

The breach, which occurred between August 29 and September 6, 2024, did not disrupt transport operations across TfL's networks but led to three months of interruptions to its online services, reportedly hitting the company with tens of millions of pounds.

Investigators suspect that the attack was carried out by an online criminal group known as Scattered Spider. Two British teenagers were charged last year in connection with the incident and are scheduled to stand trial in June.

Also Read | AI tracker: Data theft and robotaxis in focus

Transport for London had earlier flagged that the cyberattack, discovered on September 1, 2024, compromised some customer names and contact information.

TfL spokesperson reacts

A TfL spokesperson said on Friday that approximately 5,000 customers were contacted because certain refund-related information, including bank account details, might have been accessed.

"In addition, we publicised that information on customer names and contact details may have been taken - including email addresses and home addresses, where provided," a TfL spokesperson mentioned.

Also Read | Twin AI data leaks expose over a billion KYC records, media files: Report

TfL stated that it conducted a comprehensive investigation into the hack but did not provide an exact number of affected individuals. The organisation has now confirmed that it sent emails to 7,113,429 customers who had an email address linked to their TfL account to inform them of the incident.

However, with a reported 58% email open rate, this indicates that millions of impacted people either did not read the mandatory notification or, like myself, did not have a valid email registered and were therefore not alerted that their data had been compromised.

Also Read | JMIC data shows 'near-total pause in traffic' through Strait of Hormuz

Some companies that experience data breaches do disclose the full scope of the incident, particularly in other countries. In the Netherlands, telecom company Odido has been open about an ongoing data extortion attack, reporting that six million customers were affected.

In Japan, beer producer Asahi detailed specifically what information was stolen from around two million people during a ransomware attack. In South Korea, e-commerce giant Coupang revealed that 33 million customers were impacted and even provided vouchers as compensation.

In contrast, companies in the UK that suffer cyber-attacks are not legally obligated to publicly reveal the total number of people affected by such breaches.

Meanwhile, cybercriminal groups have increasingly targeted UK companies last year, hitting retail chains such as Marks & Spencer and the Co-op, as well as car manufacturer Jaguar Land Rover.

MENAFN06032026007365015876ID1110828996