Scattered Spider assault on TfL affected 10 million folks
The dimensions of the 2024 Scattered Spider cyber assault on Transport for London (TfL) was far wider in its scope than first imagined, with the non-public information of hundreds of thousands of London’s bus, prepare and underground passengers affected, it has emerged.
In response to the BBC, which has obtained and reviewed a duplicate of the database from an unnamed hacker, the information contained the names, e-mail addresses, landline and cell phone numbers, and avenue addresses of roughly 10 million folks. Laptop Weekly understands the copy of the database, which contained 15 million strains of information, has been destroyed.
Scattered Spider breached TfL’s programs in August 2024 – with the incident coming to mild firstly of September – and compelled TfL to pay hundreds of thousands in response and remediation prices, with the authority finally dealing with a invoice of virtually £40m.
It didn’t have an effect on TfL’s skill to run its core providers, however induced extreme disruption to technical providers equivalent to third-party software programming interfaces (APIs) and public-facing Oyster providers.
Two youngsters, since named as Owen Flowers and Thalha Jubair, appeared at Westminster Justice of the Peace’s Court docket in September 2025 charged with offences referring to the incident. A full trial is ready to happen later this yr.
TfL instructed the BBC it had saved clients knowledgeable all through its investigation and would proceed to take additional motion as crucial. Nevertheless, in disclosing the incident, it admitted it had solely reached out to simply over seven million people who had registered their e-mail addresses with it, and about 40% of these emails have been by no means opened, suggesting hundreds of thousands of individuals do not know their information was leaked within the first place.
ESET’s Jake Moore stated probably the most stunning factor of the state of affairs was much less that hundreds of thousands of individuals have been affected by the breach, however extra that it took practically 18 months for it to come back to mild.
“Ten million information is an extremely precious dataset for criminals, and when joined as much as additional beforehand uncovered information, it turns into a treasure trove that’s by no means deleted,” stated Moore.
“Even when the information hasn’t been actively abused but, it’s extremely doubtless that it is going to be traded and reused in scams for years.
“When hundreds of thousands of bizarre folks depend on a service like this day-after-day, the influence goes far past the organisation itself, which is why instant transparency across the scale of a cyber assault is so essential,” he stated. “Anybody who had cost particulars linked to a TfL account ought to subsequently proceed to maintain an in depth eye on their financial institution statements and stay cautious of any sudden messages.”
Emails neglected
Keven Knight, CEO of Talion, stated it was regarding that solely 58% of the notification emails despatched by TfL have been ever opened, on condition that this was the organisation’s most vital alternative to behave and talk extra extensively.
“They [TfL] ought to have been doing extra to make folks conscious that they’d been sending emails in order that they might be looking out for them,” he stated. “Not taking motion might indicate they have been attempting to bury the true scale of the incident, which isn’t solely harmful, but in addition extremely irresponsible.
“Now an enormous proportion of those victims have been left fully at midnight about the truth that their information was compromised. This might have left them extra prone to phishing emails.
Knight added: “This isn’t the form of motion we should always ever anticipate from a government-associated organisation. If bounceback emails are coming in, or if individuals are not studying breach notifications, this implies different communications avenues are required. Leaving victims fully at midnight isn’t the reply.”
Subsequent steps
Though it seems that the dataset has not been extensively abused, within the wake of the most recent disclosure, ESET’s Moore suggested that anyone who has ever linked their e-mail or cost particulars to a TfL account ought to preserve an in depth eye out for sudden inbound contacts and unexplained prices on their financial institution or bank card statements.
Additional steerage for shoppers affected by breaches at organisations holding their information is offered from the UK’s Nationwide Cyber Safety Centre (NCSC).
TfL has been contacted for additional remark, however had not but responded on the time of writing.
