Two individuals associated with the ‘Scattered Spider’ cybercrime group have confessed to breaching the Transport for London (TfL) systems in 2024.
The culprits, Thalha Jubair (20) and Owen Flowers (18), successfully infiltrated London’s transportation service between August 31 and September 3, 2024, resulting in substantial financial losses.
Initially denying any involvement, Jubair and Flowers later changed their pleas to guilty on the first day of the court proceedings at Woolwich Crown Court.
Transport for London (TfL) is a prominent public body tasked with managing a significant portion of London’s transportation networks, catering to millions of residents and facilitating thousands of daily journeys.
On September 2, 2024, TfL’s infrastructure encountered a severe cybersecurity breach, leading to operational disruptions that persisted for several days.
The attackers managed to access data from TfL’s Oyster refunds system and disrupt customer refund services, causing delays in refund processing for numerous users.
By September 12, TfL acknowledged that customer data had been compromised in the attack, while the U.K.’s National Crime Agency (NCA) announced the arrest of Flowers, a prime suspect at that time.
Both Jubair and Flowers were apprehended on September 18, 2025, following the recovery of incriminating evidence by investigators, linking them to not only the TfL cyberattack but also other illicit activities. Flowers violated his bail terms twice, in March and May 2025.
According to the NCA, the cyber assault on TfL necessitated all 28,000 employees to reset their passwords by visiting local offices, inflicting a financial toll of £29 million ($38.3M) on the public transportation entity.
NCA’s Deputy Director Paul Foster emphasized, “The attack resulted in substantial financial losses to a critical component of the UK’s vital national infrastructure and posed a significant inconvenience to customers.”
“Today’s outcome was made feasible due to TfL’s prompt collaboration with law enforcement, underscoring the importance of such cooperation in similar circumstances,” Foster added.
Investigators seized multiple devices from Flowers’ residence, including a laptop displaying connectivity to TfL infrastructure, evidence of involvement in a stolen credentials marketplace, and videos showcasing Jubair breaching TfL systems.
The hackers maintained communication through Telegram and a shared online platform during the intrusion, as per the NCA’s findings.
Besides TfL, authorities have linked Flowers to breaches at SSM Health Care Corporation and Sutter Health, both U.S.-based healthcare organizations.
The trial for the two Scattered Spider members was initially set for June 22, but due to their guilty pleas, the sentencing has been rescheduled for July 16.
Security teams detect only 14% of successful attacks, leaving the majority unnoticed in your system.
Discover how breach and attack simulation can enhance your SIEM and EDR rules to prevent threats from evading detection. Download the whitepaper now.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
