From Tokyo: When major infrastructure attacks occur in Britain, the response often reveals uncomfortable truths about institutional transparency.Transport for London has confirmed that a 2024 breach exposed the data of more than 7 million people, according to reporting released this week. This represents a staggering revision to what the authority initially disclosed.
The gap between what TfL said at the time and what actually happened speaks to a broader tension in how organisations handle data breaches.TfL initially identified around 5,000 customers requiring direct support because their Oyster card refund data may have been accessed, which could include bank account numbers and sort codes, and contacted those customers as soon as possible to offer support. But the newly confirmed figure encompasses vastly more people.
Here is the important distinction:the 7 million figure does not necessarily mean attackers grabbed data on all those people, but rather represents the size of the dataset sitting in the systems they accessed. That separation between what was potentially available and what was actually exfiltrated matters legally and practically. But from the perspective of someone whose personal details may be at risk, it also matters that TfL did not communicate this larger figure until pressed on the matter months later.
TfL sent emails to 7,113,429 customers with a registered email address to notify them of the incident, though emails had a 58% open rate, suggesting millions of impacted people did not read the statutory notification. The low open rate raises its own questions about whether notification methods were sufficient, though the company did publish information on its website and through media channels.
The attack occurredwhen TfL first detected unusual activity on 10 September 2024 and went public with the incident on 12 September 2024 after taking action to secure its network.Hackers had gained unauthorized access to internal systems, forcing the transport authority into a scramble to contain the damage. While core transport services continued operating,attackers accessed systems holding data tied to millions of Oyster and contactless users.
The investigation has since borne fruit.Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were arrested at their home addresses in September 2024 by the NCA and City of London Police and appeared at Westminster Magistrates Court charged with conspiring to commit unauthorised acts against TfL under the Computer Misuse Act.
Authorities have linked the attack to the cybercrime collective known as Scattered Spider, an English-speaking crew that has built a reputation for breaching major organisations using social engineering, SIM swapping, and other decidedly low-glamour tactics that nonetheless keep working.Flowers was initially arrested in September 2024, at which point NCA officers identified further potential evidence of offending against US healthcare companies, and he has been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health's networks, both based in the US.
From a regulatory perspective, the outcome surprised some observers.TfL was cleared by the UK's data watchdog, the Information Commissioner's Office, of any wrongdoing for the breach and its handling of the aftermath, with the regulator determining in February 2025 that no further action was needed. The ICO's decision suggests that, despite initial confusion about the breach's scale, TfL's response was deemed appropriate under UK data protection law.
Reasonable people can disagree on whether full transparency about breach scale should have come sooner. Security researchers have criticised UK companies and regulators for not requiring the kind of immediate disclosure that some overseas firms provide. But TfL was constrained by an active criminal investigation and the practical limits of incident response. The company did notify customers whose financial data was most at risk, and it did inform regulators.
What the breach ultimately illustrates is the difficulty that large public institutions face in balancing several competing obligations: containing the damage, conducting proper investigations, maintaining operational continuity, and communicating honestly with stakeholders. TfL's response was neither perfect nor uniquely negligent.The cyber-attack by hackers from the so-called Scattered Spider crime group breached TfL's internal computer systems, disrupting its online services and causing £39m in damages.
The institution bore the cost, both financial and reputational. The two accused attackers now face the criminal justice system. And millions of London commuters learned the hard way that data they assumed protected on Oyster cards or contactless systems had wider exposure than they were told when the breach occurred. Transparency delayed is not the same as transparency refused, but the distinction offers little comfort to those affected.