Two members of cybercrime group ‘Scattered Spider’ have pleaded guilty to hacking Transport for London (TfL) plans in 2024.
The two people, Thalha Jubair (20) and Owen Flowers (18), breached the systems of London’s transport service between August 31 and September 3, 2024, causing losses of millions of pounds.
Jubair and Flowers had previously denied involvement in the incident but changed their pleas on the first day of the trial at Woolwich Crown Court.
TfL is a public organization responsible for managing most of London’s transport networks, serving a metropolitan area of millions, and handling thousands of journeys every day.
On 2 September 2024, TfL’s infrastructure suffered a cyber security incident, causing operational disruption that lasted for days.
Attackers accessed data from TfL’s Oyster refund system and disrupted customer refund services, delaying refunds for some users.
On September 12, TfL admitted that customer data had been stolen in the attack, while the UK National Crime Agency (NCA) announced on the same day the arrest of Flowers, a suspect at the time.
Jubair and Flowers were arrested on September 18, 2025, after investigators found evidence of both of them, extending beyond the TfL cyberattack. Flower breached bail conditions twice, in March and May 2025.
According to the NCA, the cyberattack at TfL forced all 28,000 employees to visit their local offices to reset their passwords and caused £29 million ($38.3M) in financial damage to the public transport organisation.
“This attack has caused millions of pounds of damage to a vital part of the UK’s national infrastructure, and has been a huge disruption for customers,” said NCA Deputy Director Paul Foster.
“Today’s outcome would not have happened if TfL hadn’t engaged with the law enforcement early on, so I would urge any other organization to do the same in such circumstances.”
Investigators seized a number of devices from Flower’s home, including a laptop containing a screenshot showing connections to TfL’s infrastructure, evidence of access to a marketplace selling stolen data, and videos showing Jubair breaching TfL’s systems.
The hackers communicated via Telegram and a shared internet platform during the break-in, the NCA said.
In addition to TfL, the authorities also linked Flowers to the entry of SSM Health Care Corporation and Sutter Health, both American health organizations.
The two members of Scattered Spider were supposed to be tried on June 22, but the sentencing was postponed to July 16 due to changing their pleas.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
