1 min read

Scattered Spider TfL Hack Exposed Personal Data of 10 Million People, BBC Investigation Finds

Canopy Security
Transport for London logo representing the Scattered Spider 2024 data breach exposing 10 million people's personal records

A BBC investigation has revealed that the 2024 Scattered Spider cyberattack on Transport for London (TfL) exposed the personal data of approximately 10 million people — making it one of the largest data breaches in British history — far more than TfL publicly disclosed at the time. The stolen database, shared with the BBC for verification, contains names, email addresses, home and mobile phone numbers, and physical addresses of millions of Londoners, along with Oyster card refund data including bank account numbers for around 5,000 customers at heightened risk. TfL sent breach notifications to only 7.1 million customers with registered email addresses, leaving millions more without direct notification, and the ICO cleared TfL of wrongdoing after reviewing the full extent of the breach in February 2025.

Key Takeaways

  • Scattered Spider's 2024 TfL breach exposed ~10 million people's personal data (names, emails, phone numbers, addresses); ~5,000 also had Oyster refund bank account/sort code data exposed
  • TfL sent notification emails to only 7,113,429 customers with registered email addresses — with only 58% open rate, leaving millions effectively unnotified; ICO cleared TfL in February 2025
  • Breach database (~15 million lines including duplicates) confirmed by BBC journalist who personally found their own record; UK companies not legally required to disclose total breach scale publicly

Original source: BBC