Two members of the ‘Scattered Spider’ cybercrime group pleaded guilty to hacking the Transport for London (TfL) systems in 2024.
The two individuals, Thalha Jubair (20) and Owen Flowers (18), breached the systems of London’s transportation service between August 31 and September 3, 2024, causing millions of pounds in losses.
Jubair and Flowers previously declined involvement in the incident but have changed their pleas to guilty on the first day of the proceedings at Woolwich Crown Court.
TfL is a public body responsible for managing the majority of London’s transportation networks, serving a metropolitan area of millions, and handling thousands of journeys daily.
On September 2, 2024, TfL’s infrastructure suffered a cybersecurity incident, causing operational disruptions that continued for days.
The attackers accessed data from TfL’s Oyster refunds system and disrupted customer refund services, delaying refunds for some users.
On September 12, TfL admitted that customer data had been stolen in the attack, while the U.K.’s National Crime Agency (NCA) announced on the same day the arrest of Flowers, a suspect at the time.
Jubair and Flowers were arrested on September 18, 2025, after the investigators retrieved incriminating evidence for both, extending even beyond the TfL cyberattack. Flowers breached his bail conditions twice, in March and in May 2025.
According to the NCA, the cyberattack at TfL forced all 28,000 employees to visit their local offices to reset their passwords and caused £29 million ($38.3M) in financial damage to the public transportation organization.
“The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers,” stated NCA’s Deputy Director Paul Foster.
“Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances.”
The investigators seized multiple devices from Flower’s home, including a laptop containing a screenshot showing connectivity to TfL infrastructure, evidence of access to a marketplace selling stolen credentials, and videos showing Jubair breaching TfL systems.
The hackers communicated via Telegram and a shared online collaboration platform during the intrusion, the NCA stated.
In addition to TfL, authorities have also linked Flowers to intrusions at SSM Health Care Corporation and Sutter Health, both American healthcare organizations.
The two Scattered Spider members were scheduled to stand trial on June 22, but the sentencing was rescheduled for July 16 because of changing their plea to guilty.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
