Hackers accessed the personal data of 10 million Transport for London (TfL) users during a cyberattack that occurred in 2024. The magnitude of the incident was confirmed by official sources this Friday, after weeks of investigations and notifications to those affected.
Scope of the attack and compromised data
According to the information provided, the attackers managed to obtain names, email and postal addresses, as well as phone numbers of approximately 10 million people. TfL acknowledged that personal customer data had been accessed, although it clarified that the impact had been "very limited".
In September 2024, the company sent an email to more than 7 million customers to warn them of the possibility that some data had been stolen. The alert was directed to all those of whom TfL had a contact address.
Assistance to the affected and bank details
A TfL spokesperson specified that they identified about 5,000 customers who needed specific assistance, since there was a suspicion that some of their refund data, particularly banking data, could have been accessed by the attackers.
"We identified around 5,000 customers who needed assistance, because we knew that some of their refund data might have been accessed" - Spokesperson, Transport for London
The company maintains that access to sensitive information was limited and that security measures were reinforced after the incident.
Judicial investigation and alleged responsible parties
British justice formally charged last year two men, aged 18 and 19 at the time, in connection with this case. Both will be tried starting in June and it is suspected that they are part of an online criminal collective known as Scattered Spider. The judicial process is ongoing and the accused maintain the presumption of innocence until sentence is passed.
Context of cyberattacks in the United Kingdom
The United Kingdom has experienced several major cyberattacks in the last year. The criminal actions have especially affected retail chains such as Marks & Spencer, Harrods and Co-op, as well as the car manufacturer Jaguar Land Rover. Concern for digital security remains high in the public and private sector after these incidents.