Recent Breaches
Breaches
2026PowerSchool62.4M records stolen2026DISA Global Solutions3.3M records stolen2026Globe Life850K records stolen2026NHS ScotlandUndisclosed records stolen2026HertzUndisclosed records stolen2025Marks & Spencer9.4M records stolen2025PayPal35K records stolen2025Jaguar Land RoverUndisclosed records stolen2025Co-operative GroupUndisclosed records stolen2024National Public Data2.9B records stolen2024Ticketmaster560M records stolen2024Change Healthcare100M+ records stolen2024AT&T73M records stolen2024Dell Technologies49M records stolen2023Progress Software (MOVEit)77M+ records stolen202323andMe6.9M records stolen2023Royal MailOperations halted records stolen2023British LibraryUndisclosed records stolen2023MGM ResortsUndisclosed records stolen2022Uber57M records stolen2022LastPass33M records stolen2022Optus9.8M records stolen2022Medibank9.7M records stolen2022Twitter5.4M records stolen2026NHS ScotlandUndisclosed records stolen2026HertzUndisclosed records stolen2025Marks & Spencer9.4M records stolen2025PayPal35K records stolen2025Jaguar Land RoverUndisclosed records stolen2025Co-operative GroupUndisclosed records stolen2024National Public Data2.9B records stolen2024Ticketmaster560M records stolen2024Change Healthcare100M+ records stolen2024AT&T73M records stolen2024Dell Technologies49M records stolen2023Progress Software (MOVEit)77M+ records stolen202323andMe6.9M records stolen2023Royal MailOperations halted records stolen2023British LibraryUndisclosed records stolen2023MGM ResortsUndisclosed records stolen2022Uber57M records stolen2022LastPass33M records stolen2022Optus9.8M records stolen2022Medibank9.7M records stolen2022Twitter5.4M records stolen2026PowerSchool62.4M records stolen2026DISA Global Solutions3.3M records stolen2026Globe Life850K records stolen
View All →
Back to Knowledge Vault
News11 March 20264 min read

TfL Hack: 10 Million Records Stolen in Major Breach

Transport for London has confirmed that around 10 million customer records were stolen during the 2024 Scattered Spider cyber attack, making it one of the largest data breaches in British history. The revelation raises urgent questions about transparency, regulatory accountability and the case for offline secure storage.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
Transport for London headquarters exterior, representing the TfL cyber attack that exposed 10 million customer records

10 Million Records Stolen in TfL Cyber Attack

Transport for London (TfL) has now confirmed that approximately 10 million people had their personal data stolen during a cyber attack in late 2024, making it one of the largest data breaches in British history.

The attack, carried out by hackers linked to the Scattered Spider crime group, breached TfL's internal computer systems between late August and early September 2024. While the organisation initially disclosed only that "some" customers had been affected, the true scale has now been revealed by the BBC, which obtained and verified a copy of the stolen database.

The breach caused an estimated £39 million in damages and disrupted online services across the London transport network.

What Was Stolen

The stolen database contains names, email addresses, home phone numbers, mobile phone numbers and physical addresses of an estimated 10 million people. In total, the file holds nearly 15 million lines of data, though some are believed to be duplicates.

TfL has also confirmed that approximately 5,000 customers were at heightened risk because their Oyster card refund data, including bank account numbers and sort codes, may have been accessed.

A Transparency Gap

TfL sent notification emails to 7,113,429 customers with registered email addresses. However, with only a 58% open rate, millions of affected individuals may never have learned their data was compromised.

Companies in the UK are not legally required to publicly disclose the total number of people affected by a data breach. This stands in contrast to other jurisdictions:

  • In the Netherlands, telecoms firm Odido publicly confirmed six million customers were impacted by an ongoing data extortion attack
  • In Japan, beer maker Asahi disclosed exactly what data was stolen from around two million people during a ransomware attack
  • In South Korea, e-commerce giant Coupang told the public 33 million customers had been affected and offered vouchers as compensation

Data protection consultant Carl Gotleib noted that "after a breach it is essential that individuals are informed exactly what has happened to their data and what the potential risk might be to their privacy." He added that large datasets can be more valuable to attackers and more likely to be used in future fraud attempts.

Security researcher Kevin Beaumont described informing the public of the scale of a breach as "the most basic requirement for transparency."

The Regulatory Response

The Information Commissioner's Office (ICO) cleared TfL of any wrongdoing for the breach and its handling of the aftermath, ruling in February 2025 that no further action was needed. The regulator confirmed it was informed of the full extent of the breach but concluded formal regulatory action was "not proportionate."

The trial of two British teenagers accused of carrying out the hack is set to begin in June 2026.

The Firevault View

This breach illustrates a structural problem that no amount of perimeter security can solve. Once attackers are inside the network, digitally connected data is exposed in its entirety. Ten million records were exfiltrated because they were stored in a system that was always online and always reachable.

Firevault's offline secure storage model eliminates this attack surface entirely. Data held in a physically disconnected vault cannot be downloaded, copied or exfiltrated remotely, regardless of whether an attacker has breached the surrounding network. Physical isolation is not a feature. It is the architecture.

The TfL breach is a clear example of why organisations and individuals need to rethink where their most sensitive data resides. Cloud-connected databases remain the single largest target for organised cyber crime groups like Scattered Spider.

Learn how Firevault's Vault protects what matters most or explore our offline-first platform architecture.

What This Means for Individuals

For the estimated 10 million people affected, the immediate risk remains low but the long-term exposure is significant. Stolen databases are routinely traded in hacker communities and used to fuel phishing, scam and fraud campaigns months or years after the original breach.

Affected individuals should:

  • Be vigilant for unexpected communications referencing TfL or transport services
  • Monitor bank accounts linked to Oyster card refunds for suspicious activity
  • Consider whether sensitive personal documents are stored in always-online systems that could be similarly compromised

The question is no longer whether your data will be targeted. It is whether it will be reachable when it is.

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

The driving force behind Firevault's market presence, combining commercial vision with deep tech insight.

Share this article

News11 March 20264 min read

TfL Hack: 10 Million Records Stolen in Major Breach

Transport for London has confirmed that around 10 million customer records were stolen during the 2024 Scattered Spider cyber attack, making it one of the largest data breaches in British history. The revelation raises urgent questions about transparency, regulatory accountability and the case for offline secure storage.

TfL Hack: 10 Million Records Stolen in Major Breach
Mark Fermor
Published by Mark Fermor, Director & Co-Founder

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy