In August and September of 2024, a significant cyber-attack targeted Transport for London (TfL), resulting in the theft of personal data of approximately 10 million individuals. The hackers, linked to the crime group known as Scattered Spider, gained access to TfL's internal computer systems. Although TfL initially reported that only 'some' customers were affected, the breach's extent was much larger than disclosed. As a consequence of the attack, TfL experienced disruptions to its online services, leading to £39 million in damages. The organisation has since communicated with over 7 million customers regarding the incident, highlighting concerns about their personal information being compromised. Notably, the hacked data included names, email addresses, and home addresses. A person within the hacking community provided the BBC with a copy of the compromised database, not revealing their identity, but enabling verification of the data's authenticity. Fortunately, there have been no reports of the stolen data being used for any secondary attacks as of the time of the report. In the aftermath of the breach, TfL has been scrutinized for its transparency. Compared to incidents in other countries where businesses have disclosed extensive information on data breaches, such as in the Netherlands and Japan, the UK does not mandate full disclosure of such incidents. A data protection consultant stressed the importance of clear communication regarding the nature of breaches and potential risks to privacy. While the UK's Information Commissioner's Office cleared TfL of wrongdoing related to this incident, it noted that it had been informed of the breach's full extent but found no further action necessary. The incident has sparked discussions around the need for increased regulation and accountability regarding data breaches in the UK, emphasizing that clearer policies could better protect affected individuals.