Transport for London says 2024 breach affected 7M customers, not 5,000
Transport for London has confirmed that a 2024 breach exposed the data of more than 7 million people – a far larger crowd than the few thousand customers originally warned that their details might be at risk.
The BBC reported on Friday that the 2024 intrusion into TfL's systems potentially gave attackers access to a database covering as many as 10 million customers who had interacted with the capital's transport network.
When quizzed by The Register, TfL didn't dispute the BBC's reporting, but suggested the number affected may be slightly lower. It confirmed it had sent emails informing more than 7 million customers about the incident, though noted an open rate of 58 percent – suggesting millions actually saw the warning in their inbox. TfL said these were the customers it had email addresses for based on the data understood to have been taken after accounting for duplicate records.
This figure is a far cry from the 5,000 initially tabled by TfL, though the transport network confirmed to The Register that these customers were contacted as a high priority due to the fact that their bank account data was likely accessed.
"At the time of the incident, we identified around 5,000 customers requiring support as we knew that some of their Oyster card refund data may also have been accessed, which could include bank account numbers and sort codes," a TfL spokesperson told The Register. "As a precautionary measure, we contacted those customers directly as soon as possible to offer our support and the steps they could take."
"In addition, we publicized that information on customer names and contact details may have been taken – including email addresses and home addresses, where provided. We have kept our customers informed throughout this incident and will continue to take all necessary action," the spokesperson added.
TfL confirmed in September 2024 that hackers had gained unauthorized access to internal systems, forcing the transport authority into a scramble to contain the damage. Core services kept running, but parts of the organization's digital systems were knocked offline while engineers worked to secure accounts and restore services.
Online customer portals were disrupted, logins became unreliable, and some third-party apps that rely on TfL data feeds briefly lost access while the cleanup operation got underway.
Police later charged two teenagers in connection with the intrusion. Authorities have linked the attack to the cybercrime collective known as Scattered Spider, an English-speaking crew that has built a reputation for breaching major organizations using social engineering, SIM swapping, and other decidedly low-glamour tactics that nonetheless keep working.
That newly confirmed 7 million figure doesn't mean attackers definitely grabbed data on all those people. It's the size of the dataset sitting in the systems they accessed, the sort of nuance lawyers and regulators tend to focus on.
Speaking of regulators, the Information Commissioner's Office looked into the breach but ultimately decided not to take enforcement action against TfL, concluding the authority's response was proportionate. The privacy watchdog did not respond to The Register's questions today.
For an organization that moves millions of people around London every day, it's perhaps no surprise the passenger data pile is just as large. When attackers get into the wrong system, the number of records sitting there can quickly start to resemble rush hour on the Central line. ®
