Transport for London cyber attack impacted about 10 million commuters

A major cyber attack on Transport for London between August and September, 2024, that targeted the transporter’s IT systems and websites, compromised the data of around 10 million people, BBC has learned.

 

The news agency said the massive cyber attack on Transport for London now ranks as "one of the biggest hacks in British history" given the scale of the breach. Aside from stealing customer data, the hackers also disrupted essential services such as Live Tube arrival information on certain digital channels, including TfL Go and the TfL website.

 

TfL said in late 2024 that the cyber attack compromised commuters’ sensitive personal information such as their names, contact details, email addresses and home addresses. The hacking incident also compromised bank account numbers and sort codes for a limited number of customers who owned Oyster travel cards.

 

On September 16, 2024, the National Crime Agency arrested two teenaged hackers, Thalha Jubair from East London and Owen Flowers from Walsall, for launching the cyber attack on TfL. The hackers were also believed to be behind cyber attacks on U.S. healthcare companies such as SSM Health Care Corporation and Sutter Health’s networks.

 

Jubair and Flowers were suspected to be members of Scattered Spider, a cyber crime collective founded in 2022 and largely composed of young individuals in the U.S. and the UK. The group routinely targets cloud environments, software applications and digital assets of large corporations to deploy ransomware and steal data.

 

The cyber attack on TfL in August 2024 reportedly compromised real-time service updates that caused widespread confusion among commuters; and disrupted ticketing systems and operational systems that affected timings and services of the Underground, buses and trains. TfL estimated that the cyber security incident caused about £39 million in damages.

 

Jubair and Flowers pleaded not guilty to hacking charges in a UK court in November 2025 and their trial will commence in June this year.

 

BBC reported Friday that the Scattered Spider group shared with it a database containing customer information stolen during the cyber attack on TfL, enabling the news agency to establish an approximate count of affected individuals. The database contained an estimated 10 million commuters’ names, email addresses, home phone numbers, mobile phone numbers and physical addresses 

Following BBC’s report, TfL issued a statement to dispute the figures, stating that it sent emails to 7,113,429 customers to notify them about the incident. However, the count does not include commuters who do not have email addresses registered with TfL.  

 

"TfL said that they did communicate with over 7 million people, it said that only 58% of the emails had an open rate. This is very concerning and this was their opportunity to act and communicate more widely on the scale of the breach," said Keven Knight, CEO of Talion.

 

"They should have been doing more to make people aware that they had been sending emails so that they could be on the lookout for them. Not taking action could imply they were trying to bury the true scale of the incident, which is not only dangerous but also highly irresponsible.

 

"Now a huge proportion of these victims have been left completely in the dark about the fact that their data was compromised. This would have left them more susceptible to phishing emails.

 

"Moving forward, this is not the kind of actions we should ever expect from a government associated organisation. If bounce back emails are coming in, or if people are not reading breach notifications, this means other communications avenues are required. Leaving victims completely in the dark is not the answer," he added.