The scale of the 2024 Scattered Spider cyber attack on Transport for London (TfL) was far wider in its scope than first imagined, with the personal data of millions of London’s bus, train and underground passengers affected, it has emerged.
According to the BBC, which has obtained and reviewed a copy of the database from an unnamed hacker, the data contained the names, email addresses, landline and mobile phone numbers, and street addresses of approximately 10 million people. Computer Weekly understands the copy of the database, which contained 15 million lines of data, has been destroyed.
Scattered Spider breached TfL’s systems in August 2024 – with the incident coming to light at the start of September – and forced TfL to pay millions in response and remediation costs, with the authority ultimately facing a bill of almost £40m.
It did not affect TfL’s ability to run its core services, but caused severe disruption to technical services such as third-party application programming interfaces (APIs) and public-facing Oyster services.
Two teenagers, since named as Owen Flowers and Thalha Jubair, appeared at Westminster Magistrate’s Court in September 2025 charged with offences relating to the incident. A full trial is set to take place later this year.
TfL told the BBC it had kept customers informed throughout its investigation and would continue to take further action as necessary. However, in disclosing the incident, it admitted it had only reached out to just over seven million individuals who had registered their email addresses with it, and about 40% of those emails were never opened, suggesting millions of people have no idea their data was leaked in the first place.
ESET’s Jake Moore said the most surprising element of the situation was less that millions of people were affected by the breach, but more that it took nearly 18 months for it to come to light.
“Ten million records is an incredibly valuable dataset for criminals, and when joined up to further previously exposed data, it becomes a treasure trove that is never deleted,” said Moore.
“Even if the data hasn’t been actively abused yet, it’s highly likely that it will be traded and reused in scams for years.
“When millions of ordinary people rely on a service like this every day, the impact goes far beyond the organisation itself, which is why immediate transparency around the scale of a cyber attack is so important,” he said. “Anyone who had payment details linked to a TfL account should therefore continue to keep a close eye on their bank statements and remain cautious of any unexpected messages.”
Emails overlooked
Keven Knight, CEO of Talion, said it was concerning that only 58% of the notification emails sent by TfL were ever opened, given that this was the organisation’s most significant opportunity to act and communicate more widely.
“They [TfL] should have been doing more to make people aware that they had been sending emails so that they could be on the lookout for them,” he said. “Not taking action could imply they were trying to bury the true scale of the incident, which is not only dangerous, but also highly irresponsible.
“Now a huge proportion of these victims have been left completely in the dark about the fact that their data was compromised. This would have left them more susceptible to phishing emails.
Knight added: “This is not the kind of action we should ever expect from a government-associated organisation. If bounceback emails are coming in, or if people are not reading breach notifications, this means other communications avenues are required. Leaving victims completely in the dark is not the answer.”
Next steps
Although it appears that the dataset has not been widely abused, in the wake of the latest disclosure, ESET’s Moore advised that anybody who has ever linked their email or payment details to a TfL account should keep a close eye out for unexpected inbound contacts and unexplained charges on their bank or credit card statements.
Further guidance for consumers affected by breaches at organisations holding their data is available from the UK’s National Cyber Security Centre (NCSC).
TfL has been contacted for further comment, but had not yet responded at the time of writing.
.png?ssl=1 "I Let Google’s ‘Auto Browse’ AI Agent Take Over Chrome. It Didn’t Quite Click")
