Around 10 million people had their personal data compromised in a 2024 cyber attack on Transport for London (TfL), making it one of the UK’s biggest data breaches, according to a BBC report on Friday, with the figure arrived at after examining data from an anonymous source who obtained a copy of TfL’s entire database.
The breach, which took place between 29 August and 6 September 2024, did not disrupt transport operations on TfL’s networks but resulted in a three-month disruption to its online services, which is said to have cost the company tens of millions of pounds.
Investigators suspect the attack was carried out by an online crime group known as Scattered Spider. Two British teenagers were charged in connection with the incident last year and are expected to stand trial in June.
Transport for London previously said the cyber attack, discovered on September 1, 2024, had compromised some customer names and contact information.
A TfL spokesperson responds
A TfL spokesman said on Friday that around 5,000 customers had been contacted because certain refund-related information, including bank account details, could be accessed.
“In addition, we have disclosed that information about customers’ names and contact details – including email addresses and home addresses where provided – may have been obtained,” a TfL spokesman said.
TfL said it had carried out a comprehensive investigation into the hack, but did not specify the exact number of people affected. The organization has now confirmed it emailed 7,113,429 customers who had an email address linked to their TfL account to inform them of the incident.
However, with a reported 58% email open rate, this means that millions of affected people either didn’t read the mandatory notice or, like me, didn’t have a valid email registered and were therefore not notified that their data had been compromised.
Some companies that have experienced a data breach are publicizing the full extent of the incident, especially in other countries. In the Netherlands, telecom company Odido has been open about an ongoing data extortion attack, announcing that six million customers have been affected.
In Japan, beer maker Asahi specifically described what information was stolen from approximately two million people during the ransomware attack. In South Korea, e-commerce giant Coupang revealed that 33 million customers were affected and even provided vouchers as compensation.
In contrast, companies in the UK that are subject to cyber attacks are not required by law to disclose the total number of people affected by such breaches.
Meanwhile, cybercriminal groups increasingly targeted British companies last year, hitting retail chains such as Marks & Spencer and the Co-op, as well as car manufacturer Jaguar Land Rover.
