TfL Cyberattack: Two Scattered Spider Members Admit Guilt, Inflicting £29 Million in Damages

Two individuals associated with the cybercrime group Scattered Spider have pleaded guilty to their roles in a cyberattack on Transport for London (TfL), a breach that severely disrupted services and compromised customer data, resulting in estimated losses of £29 million for the transport authority. Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, entered their guilty pleas during proceedings at Woolwich Crown Court. Initially scheduled for trial on June 22, both defendants opted to change their pleas.

Major Disruption from the TfL Cyberattack

The National Crime Agency (NCA) and City of London Police reported that TfL’s network was compromised between August 31 and September 3, 2024. This breach forced all 28,000 TfL employees to report to their offices for mandatory password resets, leading to significant operational disruptions across the organization.

The attack provided unauthorized access to sensitive data within TfL’s Oyster refunds system, hindering the authority’s ability to process customer reimbursements. Additionally, the application system for Oyster photocards, used by children and young people, was temporarily disabled. Authorities have indicated that the total financial repercussions of the attack, including losses and recovery costs, amounted to approximately £29 million.

Investigation Links Attackers to Scattered Spider

Jubair and Flowers were arrested at their homes on September 16, 2024, following a collaborative investigation by the NCA and City of London Police. Investigators identified them as members of Scattered Spider, a cybercriminal collective known for several high-profile intrusions.

During the search of Flowers’ residence, law enforcement recovered multiple devices, including laptops and USB storage. Notably, one Acer laptop contained a screenshot indicating connectivity to TfL’s infrastructure. Furthermore, evidence suggested that Flowers had accessed an online marketplace for stolen credentials, and videos allegedly recorded by him showed Jubair accessing TfL systems during the attack.

The investigation revealed that the two communicated via Telegram and utilized an online collaboration platform that facilitated remote work on shared systems.

Additional Allegations Involving U.S. Healthcare Networks

The investigation extended beyond the TfL cyberattack. When Flowers was initially arrested on September 6, 2024, NCA officers uncovered evidence of unauthorized activities targeting the networks of SSM Health Care Corporation and Sutter Health in the United States. Court documents indicate that Flowers pleaded guilty to charges related to a conspiracy aimed at impairing operations within SSM Health Care’s computer systems. He also admitted to attempting unauthorized actions against Sutter Health’s systems.

Jubair faces an additional charge for failing to disclose PINs or passwords associated with devices seized during the investigation. Authorities noted that Flowers breached bail conditions on two occasions in March and May 2025.

Law Enforcement Highlights the Impact of Cybercrime

Paul Foster, Deputy Director and head of the NCA’s National Cyber Crime Unit, characterized the case as a lengthy and complex investigation. He emphasized that the attack underscored the significant real-world consequences of cybercrime, which can severely impact public services and result in substantial financial losses to critical national infrastructure.

Foster also pointed out the increasing threat posed by cybercriminal organizations operating from the UK and other English-speaking countries, citing Scattered Spider as a prominent example. Deputy Commissioner Nik Adams of the City of London Police remarked on the significant impact of the cyberattack on essential public services and daily operations, asserting that those responsible for targeting critical organizations would be pursued through coordinated law enforcement efforts.

The investigation received support from the West Midlands Regional Organised Crime Unit and British Transport Police. Jubair and Flowers are scheduled for sentencing at Woolwich Crown Court on July 16.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-06-24 10:39:00 • By the Editorial Desk