Two members of the Scattered Spider cybercriminal group have pleaded guilty to a cyberattack on Transport for London (TfL) that caused major service disruptions and resulted in an estimated £29 million in losses.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, admitted their roles in breaching TfL’s internal network between August 31 and September 3, 2024.
The attack impacted critical systems and forced the organization to implement emergency remediation measures across its infrastructure.
According to investigators from the UK’s National Crime Agency (NCA) and the City of London Police (COLP), the attackers gained unauthorized access to TfL systems, triggering a full-scale password reset operation affecting approximately 28,000 employees.
Staff were required to attend physical offices to reauthenticate, highlighting the severity of the compromise and loss of trust in internal identity systems.
The breach also exposed data linked to TfL’s Oyster card refund system. This disruption delayed customer reimbursements and temporarily shut down the Oyster photocard application system used by children and young people.
Scattered Spider Hackers Breach TfL
While the full scope of data exposure has not been publicly disclosed, the operational impact significantly affected public services and customer experience.
Digital forensics played a critical role in the investigation. When Flowers was arrested on September 6, 2024, authorities seized multiple devices, including laptops, external drives, and USB storage.
One Acer laptop contained a screenshot showing active connectivity to TfL infrastructure, providing direct evidence of unauthorized access.
Investigators also found that Flowers had used online marketplaces to access or purchase compromised credentials, suggesting credential-based intrusion techniques were used during the attack.
Additional evidence included recorded videos showing Jubair actively navigating TfL systems during the breach. The pair coordinated via Telegram and other collaborative online tools, indicating a structured, real-time attack execution.
Further analysis linked Flowers to intrusions targeting US healthcare organizations, including SSM Health Care Corporation and Sutter Health, demonstrating the group’s broader international targeting footprint.
This aligns with known Scattered Spider tactics, which often involve social engineering, credential theft, and targeting large enterprises and critical infrastructure.
Flowers was later released on bail but violated conditions twice in 2025, raising concerns about continued risk behavior during the investigation period.
Both individuals, who were due to stand trial at Woolwich Crown Court, pleaded guilty at the start of proceedings and are scheduled to be sentenced on July 16, 202
Law enforcement officials emphasized the real-world impact of cybercrime, particularly when critical infrastructure is targeted. The attack disrupted essential public transport services and imposed significant recovery costs.
Authorities also highlighted the growing trend of young, English-speaking cybercriminals joining organized threat groups such as Scattered Spider.
The case underscores the importance of early incident reporting and coordinated response between organizations and law enforcement.
Officials noted that TfL’s cooperation was a key factor in the successful investigation and prosecution. Organizations are advised to strengthen identity security controls, monitor credential abuse, and implement rapid incident response procedures to mitigate similar threats.
