Around 10 million people may have had their personal information exposed after hackers breached Transport for London’s systems in 2024. Was your data involved?
Join the Claim isn’t a law firm. We connect you with regulated UK firms that run group action claims. If one of our partner firms takes this case forward, we’ll share more details, including how to check your eligibility.
Register your interest
Overview
Transport for London (TfL), the public authority responsible for London’s transport network, suffered a major cyber-attack in 2024 that exposed a large database of customer information.
Investigations have since revealed that the breach may have affected around 10 million people, making it one of the largest known data breaches involving a UK public body.
According to reports, hackers linked to the cybercrime group Scattered Spider gained access to internal TfL systems and downloaded a database containing millions of customer records.
The data reportedly included:
• Names
• Email addresses
• Mobile and landline phone numbers
• Home addresses
In a smaller number of cases, Oyster card refund records may also have been accessed, which could include bank account numbers and sort codes.
TfL has said the overall risk to individuals remains low. However, large stolen datasets can still circulate for years in cybercriminal communities, potentially increasing the risk of phishing, fraud or identity-related scams.
If you had a TfL account, Oyster card, or contactless travel history linked to your personal details, you may have been affected.
Register your interest today, and we will keep you informed if one of our regulated UK partner law firms is able to investigate potential legal action relating to the breach.
TfL data breach – At a glance
Why register with Join the Claim?
Join the Claim is bringing people together — uniting those who want answers, accountability and stronger data protections from the businesses they trust.
Staying informed is the first step towards change. By registering alongside others affected, you’re showing that people expect better. And that when something goes wrong, they want to see it put right.
What do we know about the TfL data breach?
How Join the Claim works
Take a moment to answer a few simple questions so we can understand your connection and keep you updated.
Share your details so we can keep you informed if any updates become available.
If a partner law firm takes this claim forward, we’ll let you know the next steps and how to join.
Latest updates on the TfL data breach
March 2026
Join the Claim starts raising awareness of the data breach. BBC reporting reveals the breach may have exposed data belonging to around 10 million people, significantly more than previously understood.
February 2025
The UK Information Commissioner’s Office confirms it has reviewed the incident and decided no formal enforcement action is required against TfL.
September 2024
TfL publicly confirms that hackers accessed internal systems and that customer information such as names and contact details may have been taken.
August–September 2024
Hackers linked to the cybercrime group Scattered Spider breached TfL’s systems during a cyber-attack that disrupted some digital services. Investigations later indicated that a large customer database may have been accessed and downloaded.
We’ll provide more updates on the data breach as they occur.
Are you affected by the TfL data breach?
Register to stay updated and we’ll let you know if a partner law firm takes this claim forward.
Frequently asked questions about the TfL data breach
Transport for London is the public body responsible for managing most of London’s transport network, including the Underground, buses, trams, the Overground and major roads. Millions of people use TfL services every day, and many customers have accounts linked to Oyster cards or contactless travel payments.
Hackers gained unauthorised access to TfL’s internal systems in 2024 and downloaded a database containing millions of customer records. The attackers are believed to be linked to the cybercrime group Scattered Spider.
Reports suggest up to 10 million people may have had personal data included in the stolen database. TfL notified more than 7 million customers by email, although many of those messages were never opened.
The stolen data is believed to include:
• Names
• Email addresses
• Home addresses
• Mobile and landline phone numbers
In a smaller number of cases, bank account details linked to Oyster refunds may also have been accessed.
Even if financial information was not widely exposed, personal details such as names, addresses and phone numbers can still be used in scams.
If you used TfL services and had an account linked to your personal details, you may have been affected by the breach. You can register your interest with Join the Claim to stay informed if one of our regulated UK partner law firms decides to investigate potential legal action.
We are not a law firm. Our role is to keep people informed about potential group actions if one of our regulated UK partner law firms is able to take this claim forward.
By registering, you’ll stay up to date with any developments — from investigations to possible legal action.
No. Registering simply means you’ll receive updates. If a law firm later takes on the case, you’ll be given the option to learn more about the process and any potential costs before deciding whether to take part.
A group action claim allows people affected by the same issue to take action together. This strength in numbers helps stand up to big organisations. Join the Claim helps connect people with law firms so these actions have a real impact.
You might also like
We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.
Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.
Join the Claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 32 Eyre Street, Sheffield, England, S1 4QZ
© Join the Claim All Rights Reserved |
