---
layout: post
title: "Transport for London's 10 Million Person Data Breach Exposes a Broken System"
description: "TfL's massive 2024 hack affected 10 million people, yet the company downplayed it. Here's why UK companies get away with silence."
date: 2026-03-08 04:00:21 +0530
author: adam
image: 'https://images.unsplash.com/photo-1765707886613-f4961bbd07dd?q=80&w=988'
video_embed:
tags: [news, tech]
tags_color: '#1f78b4'
---
It took the BBC digging around hacker forums to discover what Transport for London wouldn't tell us: roughly 10 million people got their personal data stolen in a cyberattack last year. That's one of the biggest hacks in British history. Yet when it happened, TfL just shrugged and said "some" customers were affected.
Let that sink in for a moment. A breach of this magnitude, and the company responsible couldn't even be bothered to tell people the truth.
## The Numbers Don't Add Up
The Scattered Spider crime group hit TfL's systems between late August and early September 2024. They grabbed everything: names, email addresses, phone numbers, home addresses. Nearly 15 million lines of data, though some are duplicates. The damage bill came to 39 million pounds.
The actual notification effort? TfL sent emails to about 7.1 million customers. Sounds impressive until you realize that only 58% of those emails were opened. That means millions of people never even knew their data had been compromised. And then there's the awkward bit: if you didn't have an active email registered with TfL, you weren't warned at all.
A handful of customers, about 5,000, faced an even worse situation. Their Oyster card refund data may have been exposed too, which potentially included bank account numbers and sort codes. That's the kind of information that keeps you up at night.
## Why Companies Get Away With Silence
Here's the frustrating part. Companies in the UK aren't actually required by law to publicly disclose how many people are affected by a data breach. Not required. So TfL could hide the real numbers and face no legal consequences.
Look at what happened with other major breaches. The Co-op finally admitted to 6.5 million people affected only when a BBC presenter asked them on live television. Marks and Spencer and Harrods? Still haven't put numbers on their breaches from around the same time.
In other countries, especially the US, transparency is more of a given. Companies know they'll face backlash and legal trouble if they don't come clean. The UK's regulatory environment? It's more of a gentle nudge than actual enforcement.
## The Real Problem With Secrecy
Data protection consultant Carl Gotleib puts it plainly: people need to know exactly what happened to their information and what risks they're actually facing. When you understand the scale of a breach, you understand your vulnerability.
Large datasets are more valuable to criminals. They're more likely to be used for fraud. They get traded around hacker communities and forums. The person who shared the TfL database with the BBC says it hasn't been used for secondary attacks yet, but that's a "yet" nobody should feel comfortable about.
The Information Commissioner's Office, the UK's data watchdog, cleared TfL of any wrongdoing. They looked at the whole situation and decided no further action was needed. The ICO even said they knew the full extent of the breach before making that call.
But security researcher Kevin Beaumont doesn't buy it. He argues that informing the public of the scale of a breach is "the most basic requirement for transparency." He's right. And he's calling for UK regulation to actually change so that victims of data theft get treated like they matter.
## The <a href="https://infeeds.com/tags/?tag=technology">Technology</a> of Evasion
What's weird is that the system isn't designed to protect companies. It's just designed to let them avoid accountability. The <a href="https://infeeds.com/tags/?tag=business">business</a> case for silence is obvious: fewer people know about the problem, fewer people panic, fewer people threaten lawsuits.
But from a cybersecurity standpoint, this approach is backwards. The more people who know a breach happened, the more people can take precautions. The more people who understand their risk, the better they can protect themselves. Silence doesn't protect anyone except the company that got hacked.
Two British teenagers are facing trial in June for carrying out the attack. That's something, at least. But while they're being prosecuted, TfL gets to walk away from one of the biggest data breaches in British history having never actually told the public what happened.
That's not security. That's corporate convenience dressed up as compliance.
