littleny - stock.adobe.com
Scattered Spider attack on TfL affected 10 million people
The 2024 Scattered Spider attack on Transport for London affected approximately 10 million people, many of whom remain blissfully unaware their data was compromised
The scale of the 2024 Scattered Spider cyber attack on Transport for London (TfL) was far wider in its scope than first imagined, with the personal data of millions of London’s bus, train and underground passengers affected, it has emerged.
According to the BBC, which has obtained and reviewed a copy of the database from an unnamed hacker, the data contained the names, email addresses, landline and mobile phone numbers, and street addresses of approximately 10 million people. Computer Weekly understands the copy of the database, which contained 15 million lines of data, has been destroyed.
Scattered Spider breached TfL’s systems in August 2024 – with the incident coming to light at the start of September – and forced TfL to pay millions in response and remediation costs, with the authority ultimately facing a bill of almost £40m.
It did not affect TfL’s ability to run its core services, but caused severe disruption to technical services such as third-party application programming interfaces (APIs) and public-facing Oyster services.
Two teenagers, since named as Owen Flowers and Thalha Jubair, appeared at Westminster Magistrate’s Court in September 2025 charged with offences relating to the incident. A full trial is set to take place later this year.
TfL told Computer Weekly it had widely publicised information on stolen data in September 2024 and kept customers informed throughout its investigation.
“The security of our systems and customer data is extremely important to us and we continually monitor our systems to ensure only those authorised can gain access and continue to take all the necessary actions to protect them,” said a spokesperson.
“At the time of the incident, we identified around 5,000 customers requiring support as we knew that some of their Oyster card refund data may also have been accessed, which could include bank account numbers and sort codes. As a precautionary measure, we contacted those customers directly as soon as possible to offer our support and the steps they could take.”
However, in disclosing the incident,, TfL also said it had only reached out to just over seven million individuals who had registered their email addresses with it, and about 40% of those emails were never opened, suggesting millions of people have no idea their data was leaked in the first place.
ESET’s Jake Moore said the most surprising element of the situation was less that millions of people were affected by the breach, but more that it took nearly 18 months for it to come to light.
“Ten million records is an incredibly valuable dataset for criminals, and when joined up to further previously exposed data, it becomes a treasure trove that is never deleted,” said Moore.
“Even if the data hasn’t been actively abused yet, it’s highly likely that it will be traded and reused in scams for years.
“When millions of ordinary people rely on a service like this every day, the impact goes far beyond the organisation itself, which is why immediate transparency around the scale of a cyber attack is so important,” he said. “Anyone who had payment details linked to a TfL account should therefore continue to keep a close eye on their bank statements and remain cautious of any unexpected messages.”
Emails overlooked
Keven Knight, CEO of Talion, said it was concerning that only 58% of the notification emails sent by TfL were ever opened, given that this was the organisation’s most significant opportunity to act and communicate more widely.
“They [TfL] should have been doing more to make people aware that they had been sending emails so that they could be on the lookout for them,” he said. “Not taking action could imply they were trying to bury the true scale of the incident, which is not only dangerous, but also highly irresponsible.
“Now a huge proportion of these victims have been left completely in the dark about the fact that their data was compromised. This would have left them more susceptible to phishing emails.
Knight added: “This is not the kind of action we should ever expect from a government-associated organisation. If bounceback emails are coming in, or if people are not reading breach notifications, this means other communications avenues are required. Leaving victims completely in the dark is not the answer.”
Next steps
Although it appears that the dataset has not been widely abused, in the wake of the latest disclosure, ESET’s Moore advised that anybody who has ever linked their email or payment details to a TfL account should keep a close eye out for unexpected inbound contacts and unexplained charges on their bank or credit card statements.
Further guidance for consumers affected by breaches at organisations holding their data is available from the UK’s National Cyber Security Centre (NCSC).
This article was amended at 17:08 GMT on Friday 6 March to incorporate a response from TfL.
Read more about Scattered Spider and associates
- The ShinyHunters hacking collective that caused chaos in 2025 is ramping up a new voice phishing campaign, with several potential victims already identified.
- Scattered Spider’s alliances with ransomware-as-a-service gangs act as a force multiplier for the scope, and number, of its cyber attacks, according to NCC Group analysts.
- Jaguar Land Rover’s quarterly financial statement discloses a £485m loss due to the late August cyber attack that halted production for six weeks, damaging the UK economy.
Read more on Data breach incident management and recovery
-
![]()
Teen hackers charged over Scattered Spider attack on TfL
By: Alex Scroxton
-
![]()
NCC: How RaaS team-ups help Scattered Spider enhance its attacks
By: Alex Scroxton
-
![]()
Scattered Spider tactics continue to evolve, warn cyber cops
By: Alex Scroxton
-
![]()
Scattered Spider link to Qantas hack is likely, say experts
By: Alex Scroxton
