Transport for London (TfL) has finally come clean about the scale of its 2024 cyberattack, and the numbers are staggering. We aren't just talking about a few leaked emails or some internal memos. New findings, brought to light by the BBC and subsequent investigations, show that the breach impacted roughly 10 million people. That's nearly the entire population of London and then some. If you've tapped a yellow card, signed up for a Zip card, or even just registered for an account to pay a Congestion Charge in the last decade, your data was likely sitting on the servers the hackers hit.
The reality of modern infrastructure is that it’s held together by digital duct tape. When a "sophisticated" group gets in, they don't just peek at the surface. They go for the crown jewels. In this case, the hackers accessed names, contact details, and potentially even partial bank account information for millions of passengers.
It’s easy to dismiss this as "just another breach" because we've become numb to the headlines. But this wasn't a random hit. It was a targeted strike on the nervous system of one of the world's busiest cities.
The Massive Scale of the 2024 Hack
Most initial reports in late 2024 suggested the breach was limited to around 5,000 customers. That was a massive understatement. The updated figure of 10 million comes after months of forensic analysis. This discrepancy happens because organizations often don't know the full extent of a breach until they’ve combed through every single log file and server back-up.
Hackers gained access through a vendor’s file transfer system. This is a classic "supply chain" attack. Instead of kicking down the front door of TfL’s main fortress, they found a side window left unlocked by a third-party service. Once inside, they moved laterally. They found databases containing years of history.
For the 10 million people affected, the data points vary. For some, it’s just an email address. For others, particularly those with Oyster photocards or those who applied for refunds, the data is far more sensitive. This includes home addresses and the last four digits of bank cards.
What the Hackers Actually Took
It’s not just about the numbers; it’s about the "what." When you look at the breakdown of the stolen data, you see a goldmine for identity thieves.
- Contact Information: Names, emails, and phone numbers are the bread and butter of phishing scams. You’ll probably see an uptick in "unpaid ULEZ charge" or "Oyster refund" scam texts. Don't click them.
- Oyster Photocard Data: This is particularly nasty. These accounts often include photos and proof of age or address for students and seniors.
- Financial Fragments: While full credit card numbers weren't taken—thanks to PCI compliance standards—the hackers did snag bank account numbers and sort codes for about 5,000 customers. That’s enough to set up fraudulent direct debits.
TfL spent weeks downplaying this. They had to. Admitting 10 million people were compromised on day one causes a panic that shuts down the city. But the delay in transparency meant people didn't change their passwords or stay alert for scams when the risk was highest.
Why This Hack Paralyzed the City
For weeks after the breach, TfL had to shut down its online refund systems and stop issuing new Zip cards. It wasn't just a data theft; it was operational sabotage. Staff couldn't access certain internal systems, and the "Live" data feeds used by apps like Citymapper and Google Maps became glitchy.
Security experts, including those from the National Cyber Security Centre (NCSC), were brought in to scrub the systems. They found that the attackers had been "dwelling" in the system for some time. In the industry, we call this "dwell time." It’s the period between a hacker getting in and being caught. The longer the dwell time, the more data they can exfiltrate without tripping any alarms.
The hackers used a vulnerability in the MOVEit software—a tool many government agencies use to move large files. If that sounds familiar, it’s because the same flaw was used to hit the BBC, British Airways, and Boots in 2023. TfL was just another domino in a very long line.
The Real Risk for the Average Commuter
You might think, "I don't have an Oyster account, I just use contactless." You aren't totally safe. While contactless payments via bank cards use tokens (which are harder to steal and reuse), any interaction with the TfL website or customer service puts you in the net.
The biggest threat now isn't someone buying a flat-screen TV with your card. It's the "Long Game" of social engineering. Fraudsters take your leaked TfL info and call you. They say, "Hi, I'm from TfL security, we noticed a fraudulent charge on your Oyster card ending in 1234." Because they have those last four digits, you trust them. Then they ask for your full bank details to "verify" your identity. Honestly, it's a brilliant, if evil, tactic.
Stop Trusting "Secure" Systems
If 2024 taught us anything, it’s that no system is unhackable. Public bodies like TfL are prime targets because they’re underfunded and rely on legacy software. They have to balance "ease of use" for millions of people with high-level security. Usually, ease of use wins.
You need to take your own security seriously. Assume your data is already out there. If you’ve used TfL services:
- Change your passwords. If you use the same password for TfL as you do for your banking or email, you’re asking for trouble.
- Enable Two-Factor Authentication (2FA). Do this on every account that allows it. It’s the single best way to stop a hacker even if they have your password.
- Watch your bank statements. Look for small, weird charges. Fraudsters often test a card with a £0.01 transaction before going for the big stuff.
- Be cynical. Treat every text or email from a "government body" as a lie until proven otherwise.
TfL is currently working to contact everyone affected, but with 10 million records, that takes time. Don't wait for a letter that might never come. Check your account settings now and clear out any saved payment methods you don't use daily. The era of "set it and forget it" with your digital identity is over. Manage your footprint or someone else will do it for you.
Check your email on sites like Have I Been Pwned to see if your data has appeared in recent dark web dumps. If it has, start rotating your credentials immediately. Stop using the same password for everything. It's lazy, and in 2026, it's a recipe for financial ruin.
