Two Men Admit £39m Transport for London Cyber Attack Linked to Scattered Spider
Two men have admitted carrying out a cyber attack which cost Transport for London (TfL) an estimated £39m and paralysed key services for months.
Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall, initially denied responsibility but changed their pleas just as the trial was set to start on Monday at Woolwich Crown Court, according to Sky News.
The National Crime Agency (NCA) said both men were part of online criminal collective Scattered Spider — a group also linked to attacks on firms such as M&S. The hackers infiltrated TfL's network between 31 August and 3 September 2024, in what TfL described at the time as a "sophisticated" and "aggressive" attack.
📰 Related: Five Eyes Warns AI Could Supercharge Cyberattacks Within Months
What the hack broke
The pair accessed Oyster card data, which affected customer refunds, and closed down the system for young people's travel photocards. TfL was forced to suspend functions including traffic cameras and Dial-a-Ride bookings.
All 28,000 TfL staff also had to go to the office to reset their password — a massive operational reset that contributed to the £39m bill for losses and recovery.
The Times confirmed the pair pleaded guilty to conspiring to commit unauthorized acts against TfL under the Computer Misuse Act, and will be sentenced on July 16, noting the hack exposed personal information for about 5,000 customers including names, addresses and bank details linked to Oyster cards The Times.
📰 Related: Texas Data Breach Hit 3 Million Hunters and Anglers
NCA: "increasing threat from UK-based cyber criminals"
"The attack caused millions of pounds in losses to a key part of the UK's critical national infrastructure, and was a significant inconvenience for customers," said NCA deputy director Paul Foster.
"The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider."
Evidence included a screenshot showing connectivity to TfL infrastructure on Flowers' laptop, as well as videos of Jubair accessing the company's systems, the NCA told reporters.
Silicon UK also reported the guilty pleas, adding that Flowers also admitted attempting to breach US healthcare firms SSM Health Care Corporation and Sutter Health Silicon UK.
📰 Related: Inver Grove Heights Delays Data Center Vote to Friday, Frustrating Residents
Not their first alleged targets
Help Net Security noted the pair are Scattered Spider members and face sentencing on July 16, with the attack causing an estimated £29-39m in losses and three months of disruption Help Net Security.
US authorities have separately charged Jubair in connection with 120 cyberattacks targeting 47 US entities, resulting in over $115 million in ransom payments, according to the US Department of Justice.
Both men will be sentenced at Woolwich Crown Court on 16 July.
Key Takeaways
- Thalha Jubair, 20, and Owen Flowers, 18, plead guilty to £39m TfL hack
- Attack ran 31 Aug – 3 Sep 2024, linked to Scattered Spider group
- Oyster data breached, 5,000 customers affected, 28,000 staff forced to reset passwords
- Dial-a-Ride, traffic cameras, photocards suspended for months
- Flowers also admitted US healthcare targeting, sentencing set for 16 July
Sources
Also Read
You might also like
Technology Reporter
Priya Nair writes about emerging technologies, cybersecurity, and the intersection of tech and society. She keeps a close eye on Silicon Valley and the global startup scene.
