Two British cybercriminals linked to the Scattered Spider hacking group have pleaded guilty to a cyber-attack on Transport for London (TfL) in 2024 that cost £39 million and affected 10 million people. Thalha Jubair, 20, and Owen Flowers, 18, entered their pleas under the Computer Misuse Act at Woolwich Crown Court on Monday, the first day of what was scheduled to be a six-week trial.
Details of the Attack
The National Crime Agency (NCA) believes the attack was carried out by Scattered Spider, an online hacking community suspected of multiple recent attacks. TfL, which handles up to 5 million passenger journeys daily on the Underground alone, emailed over 7 million customers in September 2024 to inform them that some customer data may have been taken. The BBC reported that 10 million TfL customers had their data stolen.
Prosecutors stated the cyber-attack resulted in a £39 million loss for TfL and a “loss of livelihood” for people dependent on TfL licences, as previously heard at Westminster Magistrates’ Court. The attack disrupted live Tube arrival information on the TfL Go app and website, and prevented payment processing on Oyster and contactless apps, as well as registration of Oyster cards to customer accounts.
Guilty Pleas and Charges
Jubair, of Bow, east London, and Flowers, of Walsall, West Midlands, both admitted conspiring to commit unauthorised acts against TfL computer systems, causing risk of serious damage to human welfare. Flowers additionally admitted hacking two US healthcare companies: SSM Health Care Corporation and attempting to hack Sutter Health on or about 6 September 2024.
Mr Justice Turner remanded both defendants in custody ahead of a two-day sentencing hearing on 15 July. Jubair has also been accused by the US Department of Justice of involvement in a series of cyber-attacks targeting 47 US organisations, garnering over $100 million (£75 million) in ransom payments. Flowers denied two further hacking charges, which were ordered to lie on file.
Impact and Investigation
Paul Foster, head of the NCA’s national cyber crime unit, said the TfL incident underlined the growing threat from homegrown and English-speaking hackers. “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the UK and other English-speaking countries, epitomised by Scattered Spider,” he said. The NCA noted that hackers accessed TfL’s refunds system, leaving some customers out of pocket longer than usual, and shut the application system for Oyster photocards for children and young people.
Investigators found devices at Flowers’ West Midlands home, including laptops, hard drives, and USB sticks. One laptop contained a screenshot showing network connectivity to TfL infrastructure, as well as videos Flowers recorded of Jubair accessing TfL systems during the attack. The pair communicated via Telegram and an online collaborative tool.
Foster added that the damage shows cybercrime has “real-world consequences and impacts hugely on the public” despite appearing “faceless and distant” compared with other crimes. The case highlights the vulnerability of critical infrastructure, with UK critical infrastructure experiencing 200 cyber incidents in a year, according to a separate agency report.
