analyst @ nohacky :~/briefings $
cat / briefings / tfl-scattered-spider-attack
analyst@nohacky:~/briefings/tfl-scattered-spider-attack.html
reading mode 18 min read
category attack
published March 2026
read_time 18 min

Ten Million People, One Attack: The Full Story of the TfL Breach

Transport for London told the public that "some" customers were affected. The true number was closer to 10 million. Here is a complete account of how the Scattered Spider group pulled it off, who has been charged, what the courts are not allowed to tell you, and why so many people still do not know their data is in criminal hands — and what that actually means for them going forward.

On the morning of 1 September 2024, engineers at Transport for London spotted unusual activity on their internal systems. The intrusion had actually begun the night before, on 31 August, and by the time defenders noticed it, significant damage had already been done. What followed was weeks of disruption, tens of millions of pounds in losses, and a slow, painful disclosure process that left the vast majority of affected people with no meaningful warning that their personal data had been stolen.

The full scale of the incident only became clear in March 2026, when the BBC obtained and reviewed a copy of the stolen database. That database contains nearly 15 million lines of data, covering an estimated 10 million individuals. It is now considered one of the largest data breaches in British history — and the organisation responsible for protecting that data described it, for months, as affecting only "some" customers.

It was not TfL's first brush with a major cyber incident. In June 2023, TfL was among the organisations affected by the Clop ransomware group's mass exploitation of a zero-day vulnerability in Progress Software's MOVEit file transfer platform. That incident, which also hit the BBC, British Airways, and Boots via payroll supplier Zellis, compromised employee data rather than passenger records, and TfL confirmed at the time that no passenger or banking data was involved. The 2024 Scattered Spider attack reached a different target — the customer data layer — but the pattern of TfL as a repeated target of sophisticated threat actors raises a question the organisation has not publicly answered: what changed after 2023, and was it enough?

That question matters because the two attacks are structurally different in ways that reveal how the threat landscape is shifting. The MOVEit compromise was a supply chain attack: TfL was a downstream victim of a vulnerability in third-party software used by its payroll provider. The 2024 Scattered Spider attack was a direct social engineering campaign aimed at TfL's own help desk personnel. The 2023 incident should have prompted specific scrutiny of whether TfL's human verification controls were robust enough to resist a vishing attack. Whether it did, and what conclusions were reached, has not been disclosed. TfL's NCSC, NCA, and Microsoft partners stated after the 2024 breach that TfL "responded well to the incident and disrupted the attack to some extent, potentially preventing a far worse outcome." That assessment is worth holding onto. It implies the defences, imperfect as they were, were not idle — but it does not answer whether the lessons of 2023 were acted upon in the 14 months between incidents.

How the Attack Unfolded

The intrusion was attributed to Scattered Spider, a loosely organised, financially motivated cybercriminal group that has been active since 2022. The group, also tracked under the aliases UNC3944, Octo Tempest, Muddled Libra, and Storm-0875, is primarily composed of young, English-speaking individuals based in the United Kingdom and the United States. That native English fluency is a central part of what makes them effective.

Rather than relying primarily on exploiting technical vulnerabilities, Scattered Spider weaponises the human layer. Their attacks typically begin with a combination of SMS phishing (smishing), voice phishing (vishing), and SIM-swapping, designed to obtain credentials before a single line of malicious code is ever executed on a target network. The group is considered, by CISA and other agencies, to be among the most capable social engineering actors currently operating.

note

CISA's advisory on Scattered Spider describes the group's social engineering attempts as being enriched by access to personal information derived from social media, open-source intelligence, commercial intelligence tools, and database leaks — allowing threat actors to convincingly impersonate real employees when calling IT help desks. (Source: CISA Advisory AA23-320A)

In TfL's case, the attackers are believed to have used these same techniques to gain initial access — impersonating employees, persuading help desk personnel to issue password resets or transfer MFA tokens, and then using legitimate remote access tools to maintain persistence once inside. Once credentials were obtained and access established, the attackers moved laterally through TfL's network, ultimately exfiltrating data from a legacy database system containing customer records linked to TfL's discounted travel and Oyster payment schemes.

Critically, the attack did not affect the operational infrastructure that runs the London Underground, buses, or other transport services. What it did reach was the customer-facing data layer — the systems holding names, contact details, home addresses, and, for a subset of approximately 5,000 customers, bank account numbers and sort codes associated with Oyster refund applications.

"This attack caused significant disruption and millions in losses to TfL." — Paul Foster, Deputy Director and Head of the National Cyber Crime Unit, National Crime Agency (September 2025)

The Stolen Data: What Was Taken

The database reviewed by the BBC in March 2026 contained close to 15 million rows of information corresponding to roughly 10 million distinct individuals. The data fields include full names, email addresses, home telephone numbers, mobile numbers, and physical street addresses. For the approximately 5,000 customers who had applied for Oyster card refunds, the compromised data also included bank account numbers and sort codes.

TfL confirmed at the time that credit and debit card numbers were not compromised, as payment processing runs on a separate, more secure system. Financial data in the traditional sense was not the primary target. What was taken was the kind of rich, personally identifiable information that is extraordinarily useful for follow-on attacks: spear-phishing campaigns, identity fraud, SIM-swapping, and the construction of convincing impersonations.

warning

Security experts have warned that the stolen TfL dataset is likely circulating on hacker forums. Anyone who had a registered TfL, Oyster, or contactless account before September 2024 should treat any unexpected contact — by phone, email, or post — as potentially targeted, particularly if it references their travel history or account details.

The problem of notification compounded the data exposure. TfL sent emails to the roughly 7 million customers whose email addresses it held on record. Of those, only approximately 58% were opened. That leaves more than 40% of contacted customers — and all customers whose contact details were not held — who received no meaningful alert that their information had been compromised. The remaining millions in the database had no email address registered with TfL at all.

There is a question embedded in the BBC's March 2026 investigation that almost every subsequent report glossed over: who gave them the database, and why? The BBC reported that a hacker sent them a copy of the stolen data. That is not a trivial detail. It means that by March 2026, the database had not merely been retained by the original attackers — it was being actively shared or offered to third parties, including journalists. Cybernews separately reported the same dynamic: a hacker sent them a copy, too. The implication is that at the point the public finally learned the true scale of the breach, the data was not in the hands of one group. It had almost certainly circulated. A dataset does not get offered to multiple media organisations simultaneously because it is being carefully safeguarded. It gets offered because it has already moved through the market. The 18-month gap between the attack and that revelation means that the effective harm-reduction window — the period during which alerting affected people would have been most useful — had already closed.

Keven Knight, CEO of Talion, argued that TfL's failure to proactively publicise the notification emails amounted to institutional negligence, leaving millions of victims exposed to follow-on phishing without the context to recognise or resist it. Suppressing the scale of a breach, Knight told IT Pro, is "not only dangerous but also highly irresponsible." — Keven Knight, CEO, Talion; quoted in IT Pro (March 2026)

Who Was Charged

On 16 September 2025, the National Crime Agency and City of London Police arrested two individuals at their home addresses. Thalha Jubair, 19, from Tower Hamlets in East London, and Owen Flowers, 18, from Walsall in the West Midlands, were both charged with conspiring together to commit unauthorised acts against TfL under the Computer Misuse Act. They appeared at Westminster Magistrates Court on 18 September 2025 and subsequently entered not guilty pleas at Southwark Crown Court. A provisional trial date has been set for 8 June 2026, with a pre-trial hearing scheduled for 13 February 2026.

The NCA confirmed its strong belief that both individuals are connected to the Scattered Spider collective, though contempt of court restrictions preclude further public speculation about guilt or innocence during the active legal process. Jubair faces an additional charge under the Regulation of Investigatory Powers Act 2000 for failing to disclose the PIN or passwords to devices seized from him on 19 March 2025. Both defendants are being held on remand.

note

Owen Flowers was first arrested in connection with the TfL attack on 6 September 2024. Because he was a minor at the time, his identity could not be officially disclosed. He was re-arrested in September 2025 once he had turned 18. Alongside the TfL charges, Flowers faces two additional counts of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation (Missouri) and attempting the same against Sutter Health (California) — both involving intrusions through those health systems' third-party vendors. Flowers pleaded not guilty to all charges. (Sources: NCA, The Record from Recorded Future News, Cybersecurity Dive)

One aspect of the timeline that has attracted relatively little scrutiny is what the period between Flowers' first arrest and his re-arrest looked like in practice. He was arrested in September 2024, questioned, and released on bail. He was not charged until September 2025 — a full twelve months later. During that period, the NCA's investigation continued, digital evidence was examined, and the case was built to a standard sufficient for the Crown Prosecution Service to authorise charges. That is standard procedure for complex cybercrime investigations, where forensic analysis of seized devices takes considerable time. But it also means that a named suspect in one of the largest data breaches in British history was operating in the community for a year before charges were filed. The NCA has not disclosed what conditions, if any, were attached to Flowers' bail during that period. The question of whether bail conditions in serious cybercrime cases are sufficient to prevent ongoing offending is one that law enforcement agencies have not consistently answered.

Jubair's legal exposure extends considerably further. The US District of New Jersey unsealed a complaint on 18 September 2025 charging him with conspiracies to commit computer fraud, wire fraud, and money laundering, linked to at least 120 network intrusions targeting 47 US entities between May 2022 and September 2025. Alleged victims paid over $115 million in ransom payments, portions of which prosecutors claim were routed to wallets on a server under Jubair's control. Among the targets: the US federal court system itself. In January 2025, Jubair allegedly called the US Courts network help desk and convinced a representative to reset a password, gaining access to accounts that included one belonging to a federal magistrate judge. US prosecutors are seeking up to 95 years on the federal charges. (Sources: Fortune, US DOJ, SC Media)

sentencing exposure

The charges brought under the Computer Misuse Act 1990 include counts of conspiracy to commit unauthorised acts causing, or creating a significant risk of, serious damage to human welfare and national security. These are among the most serious cybercrime charges in English law and carry a maximum sentence of life imprisonment. The combined US federal exposure amounts to up to 95 years. Both defendants have pleaded not guilty. (Sources: Computer Weekly, SC Media, Infosecurity Magazine)

The arrests did not occur in isolation. Scattered Spider is a fluid, distributed collective. A separate set of four arrests was made in the UK in July 2025 in connection with the wave of attacks on M&S, Co-op, and Harrods. That earlier group included a 17-year-old. The group's resilience in the face of law enforcement action reflects the decentralised nature of its membership and the relatively low barrier to entry for socially skilled operatives with access to off-the-shelf attack tooling — and its increasingly organised alliance with other hacking groups including ShinyHunters and LAPSUS$.

The Cost to TfL

The financial damage to Transport for London was substantial. TfL's own financial reporting to its board disclosed that what had been forecast as an operating surplus of £61 million was revised down to £23 million as a direct result of the incident. The organisation confirmed a total cost of nearly £40 million, with at least £5 million spent specifically on incident response, forensic investigation, and cybersecurity remediation in the months following the attack.

The operational disruption was wide-ranging. The attack forced TfL to take offline several customer-facing systems for weeks, including the contactless journey history service, Oyster account registration, online refund processing, and the application systems for Zip cards (for 5- to 17-year-olds), 60+ Oyster cards, and Student Oyster cards. Third-party applications that relied on TfL APIs — including Citymapper — also lost access to real-time data. All 30,000 TfL employees were required to attend in-person appointments to have their passwords manually reset, an undertaking that strained internal IT capacity for weeks. Traffic cameras and dial-a-ride booking services were also taken offline during the containment period.

A dimension of the impact that received little mainstream coverage was its effect on people whose livelihoods depend on TfL licensing. Prosecutors noted at Westminster Magistrates Court that the disruption to TfL's licensing systems represented a direct "loss of livelihood" for some individuals — a category of harm that does not appear in the organisation's reported cost figures but is real, uncompensated, and concentrated among people with limited economic alternatives. (Source: ITV News London)

The Regulatory Response: A Cleared Organisation

Despite the scale of the breach and widespread criticism of TfL's communication with affected customers, the Information Commissioner's Office determined in February 2025 that formal regulatory action was not proportionate and cleared TfL of wrongdoing. That decision drew significant criticism from security professionals who argued that the ICO's response set a troubling precedent for how public bodies communicate data breaches to millions of ordinary people.

TfL maintained that it had widely publicised information on the stolen data and kept customers informed throughout its investigation. The organisation pointed to direct outreach to the approximately 5,000 customers whose financial data may have been accessed as evidence of its responsiveness. Critics, however, noted the gap between the millions in the database and the millions who received no effective warning, and questioned whether TfL's posture throughout the incident prioritised institutional reputation management over transparent public disclosure.

The ICO clearance raises a question that the regulatory framework does not cleanly answer: what does timely and adequate notification mean when the people at greatest risk are precisely the people an organisation has no direct contact details for? UK GDPR requires notification to affected individuals "without undue delay" where the breach is likely to result in high risk to their rights and freedoms. TfL's position — that it notified those it had email addresses for — is technically compliant with the letter of that obligation. Whether it satisfies the spirit is a different argument, and one that the ICO appears to have declined to pursue. That restraint may be reconsidered in light of the BBC's March 2026 investigation revealing the true scale, which post-dated the ICO's decision by over a year. (Sources: The Register, National Technology News)

critical

The TfL breach is a clear illustration of why legacy database hygiene matters. TfL's core transport operations were untouched. The breach hit a legacy system that held years of accumulated customer PII — data that should arguably not have existed in an unprotected, consolidated form. Minimising the data you hold is not just a compliance concern. It is an attack surface question. The ICO's clearance does not change this calculus. Regulators clearing an organisation of wrongdoing does not mean that what happened was acceptable, handled well, or without consequence for those whose data was taken.

There is an internal accountability thread that public reporting has not followed. In late 2024, board papers disclosed that TfL had commissioned an independent review to examine "the circumstances surrounding the incident and the impact, our response to the incident, and whether further improvements are needed to our cybersecurity strategy." The papers noted that the review might be conducted in phases, given that the criminal investigation was ongoing. As of March 2026, TfL has not published the findings of that review, nor confirmed whether it has concluded. That silence is conspicuous. A public body responsible for the data of ten million people, having commissioned an independent assessment of what went wrong, could reasonably be expected to share at least a summary of what it found and what it changed. The ICO's clearance decision predates both the BBC's March 2026 revelations and any publicly disclosed findings of that internal review. Whether the ICO revisits its position in light of new information about the true scale of the breach remains an open question. (Source: SC Media UK, Evening Standard via board papers)

Scattered Spider: The Broader Threat Picture

To understand why the TfL attack succeeded, it helps to understand who Scattered Spider is and how they operate. The group first emerged in 2022, initially targeting customer relationship management firms and business process outsourcing companies before expanding to hospitality, gaming, healthcare, retail, and critical infrastructure. Their hallmark — consistent across every major campaign — is the exploitation of the human layer rather than novel technical vulnerabilities.

A typical Scattered Spider operation begins with extensive open-source reconnaissance. Threat actors identify target employees on LinkedIn, social media, and leaked data repositories, compiling enough personal information to convincingly impersonate those individuals when calling IT help desks. They then use a layered approach: initial calls to learn what verification steps are required for password resets, followed by spear-phishing voice calls to those specific desk agents, who are manipulated into resetting credentials or transferring MFA tokens to attacker-controlled devices.

Once inside, the group leverages legitimate remote monitoring and management tools — AnyDesk, ScreenConnect, TeamViewer — to avoid triggering endpoint detection. Credential dumping tools including Mimikatz are used to escalate privileges, and lateral movement occurs via RDP, SSH, and other standard services. The group is expert at blending in with normal administrative activity, a strategy known as living off the land (LOTL).

The US Health Sector Cybersecurity Coordination Center (HC3), in its October 2024 threat actor profile on Scattered Spider, attributed the group's sustained success specifically to its social engineering capabilities rather than to any technical sophistication in its exploit chain. That assessment was echoed by CISA and FBI in their July 2025 updated advisory, which added new TTPs including targeting of organisational Snowflake cloud data environments — enabling the group to run thousands of queries and exfiltrate massive volumes of structured data in a very short period — and the creation of fake social media profiles to backstop newly invented identities used inside compromised networks. (Sources: HHS HC3 / American Hospital Association, CISA Advisory AA23-320A updated July 2025)

Their ransomware toolkit has also evolved significantly. The group added RansomHub and Qilin to its arsenal in mid-2024, and by early 2025 was deploying DragonForce ransomware in campaigns against British retailers. In the M&S attack that began in April 2025, the compromise may have started as early as February 2025 when attackers exfiltrated the Windows domain's NTDS.dit file — the Active Directory database containing hashed credentials for every domain user. M&S chairman Archie Norman confirmed to a UK Parliament committee in July 2025 that attackers impersonated an M&S employee and called the retailer's service desk run by a third party, who then carried out a password reset. The resulting losses to M&S exceeded £300 million. These are not opportunistic attacks. They are the product of months of reconnaissance, patient preparation, and a sophisticated understanding of how corporate identity and access management systems can be subverted through trust rather than force. (Sources: Cube Technology, SC Media, Specops Software)

What the Stolen Data Actually Enables

Security analysts at ESET, quoted by Computer Weekly in March 2026, emphasised a point that tends to be lost in the coverage of large breaches: a dataset of this size and richness does not depreciate quickly. Ten million records containing full names, multiple contact channels, and physical addresses represent something far more dangerous than a list of phone numbers. When cross-referenced with other publicly leaked datasets — and the UK has had many — this data becomes a precise targeting tool for layered attacks. An attacker who knows your name, home address, mobile number, and that you use a contactless travel account linked to a specific email address can construct a highly believable impersonation scenario. They can send post that looks like official TfL correspondence. They can call your mobile using your name and reference your address. They can SIM-swap you. They can open credit accounts in your name.

ESET's Jake Moore described the dataset as "a treasure trove that is never deleted," noting that even data that has not been actively abused yet is highly likely to be traded and reused in scams for years. The 18-month gap between the breach and the BBC's revelation of its true scale means that the window for early warning — when awareness would have been most protective — has already closed for the vast majority of affected people. (Source: Computer Weekly, March 2026)

if your data was in this breach

Anyone who held a registered TfL, Oyster, or contactless account before September 2024 should treat any unexpected contact — by phone, email, post, or text — as potentially targeted, particularly if it references travel history, account details, or asks you to take any account or financial action. You can check whether your email address appears in known breach datasets at haveibeenpwned.com. Consider placing a notice of correction on your credit file and registering with CIFAS protective registration if you believe you may be targeted for identity fraud. (Source: Cybernews, March 2026)

Key Takeaways

  1. Social engineering is the primary attack surface: The TfL breach, like nearly every major Scattered Spider campaign, began not with a software exploit but with a phone call. Technical controls that do not account for the human layer will fail against this threat actor. Going beyond standard help desk hardening means implementing out-of-band verification for every sensitive action: a callback on a pre-registered number, a video call to verify identity, or a physical verification requirement for high-privilege account changes. Hardware-based FIDO2 authentication keys should be mandatory for any accounts with administrative access. Help desk adversarial simulation exercises — where defenders test whether their own staff can be manipulated — are not optional extras. They are the frontline.
  2. Legacy data is a liability, not an asset: The records exposed in this breach did not live in TfL's core operational systems. They lived in a legacy database holding years of accumulated customer PII. Organisations that retain data beyond its useful life, without enforcing strict access controls, are creating attack surfaces that serve no operational purpose. A data minimisation audit is not just a GDPR compliance exercise. It is a question of how large a prize you are offering to attackers who get past your perimeter.
  3. Cloud data environments need specific protection: The CISA July 2025 advisory specifically flagged Scattered Spider's targeting of Snowflake environments, running thousands of queries to exfiltrate large volumes of structured data rapidly. Organisations holding customer PII in cloud data platforms should enforce strict access policies, implement anomalous query detection, monitor for bulk data access events, and minimise session token lifetimes. Cookie and session token hygiene is particularly important: the CISA/FS-ISAC guidance recommends minimising the viable lifespan of web cookies and deploying honeytokens around remote management tools for early detection. (Source: CISA AA23-320A updated July 2025, FS-ISAC)
  4. Disclosure failures amplify harm: A data breach is an event. The harm from a data breach is a process. TfL's notification reached roughly 58% of those it attempted to contact by email, and the people whose data was stolen but who received no alert are now more vulnerable to follow-on attacks that TfL's disclosure could have helped them recognise and resist. Breach notification is not a legal formality. It is a harm reduction measure. Organisations holding data on millions of people who have no email address on file need to consider what their notification strategy actually is for those people — not just what it technically covers.
  5. Scattered Spider is still active and evolving: Arrests have not stopped the group. As of July 2025, CISA, the FBI, and partner agencies from the UK, Canada, and Australia updated their Scattered Spider advisory to reflect new tactics including more sophisticated identity creation, Snowflake data exfiltration, and additional malware variants including RattyRAT for reconnaissance and DragonForce for encryption. The group has also consolidated relationships with ShinyHunters and LAPSUS$, forming a loosely affiliated collective with a broader toolset and larger operational reach. Organisations in any sector that relies on public-facing call centres or holds large-scale customer data should treat Scattered Spider as an active, ongoing, and evolving threat. (Source: CISA Advisory AA23-320A updated July 2025)

The TfL breach did not break the transport network. The Tube kept running, buses kept moving, and the city did not stop. What broke was the implicit contract between a public authority and the millions of people whose personal information it holds — and whose trust it exercised in aggregating, retaining, and inadequately protecting that data over many years. That is the kind of damage that does not show up in an operating deficit. It shows up years later, in phishing emails that know your home address, your phone number, and the name of your Oyster account.

sources

  1. SC Media UK — TfL Faces Independent Investigation Over Cyber-Attack Response
  2. IT Pro — True scale of TfL cyber attack emerges
  3. Computer Weekly — Scattered Spider attack on TfL affected 10 million people
  4. The Register — Transport for London says 2024 breach affected 7M customers
  5. Cybernews — Hacker sends BBC copy of TfL database
  6. National Crime Agency — Two charged for TfL cyber attack
  7. The Record from Recorded Future News — Two suspected Scattered Spider hackers plead not guilty over Transport for London cyberattack
  8. Cybersecurity Dive — UK arrests 2 more alleged Scattered Spider hackers over London transit system breach
  9. SC Media — Guilt denied by alleged Scattered Spider members over London hack
  10. Fortune — London teenager orchestrated help desk extortion scheme against 47 US companies
  11. Infosecurity Magazine — Pair of suspected Scattered Spider hackers charged by UK and US authorities
  12. ITV News London — Two teenagers in court charged over Transport for London cyber attack
  13. CISA — Cybersecurity Advisory AA23-320A: Scattered Spider (updated July 2025)
  14. SC Media — Scattered Spider attacks cost UK retailers hundreds of millions
  15. Specops Software — M&S ransomware hack: Service Desk & Active Directory security lessons
  16. Infosecurity Magazine — How the UK retail sector responded to the Scattered Spider hack wave
  17. HHS HC3 / American Hospital Association — HC3 Threat Actor Profile: Scattered Spider (October 2024)
  18. Tech Digest — Scattered Spider TfL cyber-attack affected 10 million people, BBC reveals
  19. Control Risks — Scattered Spider attacks: mitigation strategies for cyber teams
  20. Darktrace — Inside Scattered Spider: Evolving TTPs Exposed
— end of briefing