Hacker sends BBC copy of TfL database, reporter finds his own details among 10M breached records

Published: 6 March 2026
transport london database leak
Image by Cybernews

A hacker has sent the BBC a copy of a Transport for London (TfL) database containing the personal details of around 10 million people, allowing the broadcaster to verify the scale of the breach.

The BBC’s cybersecurity correspondent Joe Tidy reported that “someone in the hacking community” contacted him via the messaging app Telegram, claiming to have obtained the full database from TfL’s 2024 cyberattack.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

The hacker, who did not reveal their identity, shared the dataset so journalists could examine it. The file contained millions of records, including names, email addresses, home phone numbers, mobile phone numbers, and physical addresses.

When Tidy analyzed the data, he discovered that his own personal details were included among the millions of records.

“The data contains millions of lines of names and personal details – including my own.”

Joe Tidy, BBC Cybersecurity correspondent

Links to the 2024 cyberattack

The revelations shed new light on the 2024 cyberattack on TfL, which was linked to the cybercrime group Scattered Spider.

The breach disrupted internal systems and online services and is estimated to have caused £39 million ($52 million) in damages.

At the time of the attack, TfL declined to give a precise figure for the number of people affected.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites
ADVERTISEMENT

Now, the organization has confirmed that it had emailed around 7 million customers with an email address registered to their TfL account to notify them of the breach. However, TfL admitted to the BBC that the emails had an open rate of just 58%.

According to Tidy, this suggests that millions of people may never have seen the notification. “... or that those who, like myself, did not have an active email registered were not warned that criminals had their data,” he added.

The trial of two British teenagers accused of carrying out the TfL attack is scheduled for June.

Questions over transparency

Tidy said TfL had previously stated only that “some” people were affected, which he argued, in a later LinkedIn post, could influence the level of media attention given to cyber incidents.

Under current UK rules, companies that suffer cyberattacks are not legally required to publicly disclose the total number of people affected by breaches.

While retailer Co-op admitted that 6.5 million people were affected by its breach last spring, neither Marks and Spencer nor Harrods has put a number on their breaches, which occurred around the same time.

By contrast, in the Netherlands, telecoms firm Odido has been transparent in its response to an ongoing data extortion attack, saying that six million customers were impacted.

In Japan, the CEO of the larger brand Asahi explained exactly what data was stolen from around two million people during a ransomware attack.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked