When news of the Transport for London (TfL) cyber-attack first emerged in 2024, the public were told that a relatively small number of customers faced a heightened risk.
But new reporting suggests the true scale of the breach may be far larger.
Investigations now indicate that up to 10 million people may have had personal information included in a stolen database linked to the attack. If accurate, that would make it one of the biggest known data breaches involving a UK public organisation.
What is particularly striking is that millions of those affected may never realise their data was involved.
Many people may never have seen the warning
TfL says it emailed more than seven million customers whose accounts were linked to an email address in the compromised systems. However, the organisation has acknowledged that only around 58% of those emails were opened.
That leaves a significant number of people who may have received a notification but never saw it — or who no longer use the email account connected to their TfL profile. Others may never have received a notification at all.
The result is that millions of people could be unaware their personal details were included in the dataset accessed by hackers.
What information may have been involved
Reports indicate that the database accessed during the attack contained a large volume of customer information.
This may have included:
- Names
- Email addresses
- Home addresses
- Mobile and landline phone numbers
In a smaller number of cases, Oyster refund records may also have been accessed, which could include bank account numbers and sort codes.
Transport for London has said the overall risk to individuals remains low.
However, even basic personal details can still be valuable to criminals.
Why stolen datasets can remain a risk for years
When large databases are taken during cyber-attacks, they often circulate within criminal communities for long periods of time.
Even if the data is not used immediately, it may later be combined with information from other breaches to build detailed identity profiles.
This can increase the risk of:
- Targeted phishing emails
- Impersonation scams
- Fraud attempts using personal details
- Highly convincing messages that appear legitimate.
Security experts frequently advise that anyone whose information may have been involved in a breach should remain cautious about unexpected emails, phone calls or requests for personal information.
Staying informed about potential developments
The Information Commissioner’s Office investigated the TfL cyber-attack and concluded that formal enforcement action was not proportionate. However, as new details about the scale of the breach continue to emerge, questions remain about how widely the stolen data may circulate and what the long-term impact could be.
If you have used TfL services — such as Oyster cards, contactless travel accounts or online TfL services — your personal information may have been included in the affected systems.
Join the Claim is monitoring developments relating to the incident. If one of our regulated UK partner law firms decides to investigate potential legal action, we will provide updates explaining what options may be available.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
