Scattered Spider Hackers Jailed for TfL Cyberattack That Disabled 148 Systems


Two Scattered Spider hackers have each been sentenced to five years and six months in prison for the 2024 cyberattack on Transport for London. The breach disabled 148 systems, forced 27,000 employees to reset their passwords in person and caused about £29 million in losses and recovery costs.

Thalha Jubair, from East London, and Owen Flowers, from Walsall, received their sentences at Woolwich Crown Court on July 16, 2026. The National Crime Agency sentencing announcement described the case as the largest cybercrime prosecution brought before UK courts.

Both defendants pleaded guilty on June 22, the day their trial was due to begin. They admitted one offence under Section 3ZA of the Computer Misuse Act 1990, based on being reckless about whether their actions caused or created a significant risk of serious damage to human welfare.

Key Facts About the TfL Cyberattack

Case detailConfirmed information
DefendantsThalha Jubair and Owen Flowers
Attack periodAugust 31 to September 3, 2024
SentenceFive years and six months each
Systems disabled148 TfL systems
Employees affected27,000 staff required in-person password resets
Financial impactApproximately £29 million in losses and recovery costs
Cybercrime groupScattered Spider

The attackers infiltrated TfL’s computer network between August 31 and September 3, 2024. TfL detected suspicious activity on September 1 and restricted access to parts of its environment to protect safety-critical systems.

The organisation’s rapid containment prevented the attack from shutting down London’s transport network. Underground, bus and rail services continued operating, but many customer-facing and administrative services were disrupted.

The Crown Prosecution Service case summary said TfL had to disconnect parts of its own network to prevent wider damage. Prosecutors said messages between the defendants suggested they had discussed destroying or removing access to systems.

Which TfL Services Were Disrupted?

The cyberattack affected services used by passengers, employees and vulnerable Londoners. Some systems became unavailable, while others had to operate through manual procedures.

Dial-a-Ride booking services were disrupted. This service provides transport for people who cannot easily use buses, trains or the London Underground because of a disability or long-term health condition.

The incident also affected Oyster refunds, concessionary travel cards, digital payment channels and applications for children’s and young people’s Oyster photocards. A planned extension of contactless ticketing was delayed.

Affected areaReported impact
Employee accessAll 27,000 employees had to attend a TfL office to reset their passwords
Oyster refundsCustomers experienced longer refund delays
Photocard applicationsApplications for children and young people were temporarily unavailable
Dial-a-RideBooking services for vulnerable passengers were disrupted
Critical systemsStaff used manual workarounds to maintain important operations
Contactless ticketingA planned expansion was delayed

Customer Data Was Accessed

TfL confirmed that the attackers accessed certain customer information. The affected data included some names, contact details and information connected to Oyster card refunds.

In its updated cybersecurity incident notice, TfL said it contacted affected customers and notified the Information Commissioner’s Office. The regulator closed the matter in February 2025 without taking action against TfL.

TfL has said it found no evidence that information accessed during the attack was subsequently misused. Customers should still be cautious about unexpected messages claiming to relate to Oyster accounts, refunds or compromised personal data.

How Investigators Linked the Hackers to the Attack

Investigators seized laptops, computer towers, hard drives and USB devices from Flowers. One laptop contained a screenshot showing a connection to TfL infrastructure.

The same device held videos recorded during the attack that showed Jubair accessing TfL systems, according to the NCA investigation account. Investigators also recovered Telegram conversations and evidence that the pair used a shared online workspace.

Evidence connecting Jubair to the intrusion was also obtained from overseas. The CPS sentencing release said cooperation between British and international authorities helped prosecutors attribute the attack.

  • A screenshot showed network connectivity to TfL infrastructure.
  • Videos showed Jubair accessing TfL systems during the incident.
  • Telegram messages documented communication between the defendants.
  • A shared remote workspace supported their joint activity.
  • Overseas evidence helped link Jubair to the attack.

Flowers Also Targeted US Healthcare Organisations

Flowers admitted separate offences connected to attacks against SSM Health and Sutter Health, two US healthcare organisations. Authorities encountered this activity while investigating his role in the TfL attack.

He pleaded guilty to two offences under Section 3 of the Computer Misuse Act in connection with a conspiracy and attempt to impair the healthcare organisations’ computer systems.

Flowers was later arrested again after breaching bail conditions concerning his use of electronic devices. Jubair was separately charged with failing to provide PINs or passwords for devices seized from him.

Scattered Spider’s Role in the TfL Attack

The NCA identified Jubair and Flowers as leading members of Scattered Spider, a loosely organised cybercrime collective associated with social engineering, credential theft, SIM swapping and data extortion.

Scattered Spider is known for targeting employees and help desks rather than relying only on technical exploits. Attackers linked to the name often impersonate staff members, manipulate support personnel and attempt to bypass multifactor authentication.

The NCA said the investigation and arrests severely disrupted the group’s activity. However, Scattered Spider operates as a decentralised collective, and other criminals may continue using the name or similar methods.

Why the Section 3ZA Convictions Matter

Section 3ZA covers unauthorised computer activity that causes or creates a significant risk of serious material damage. It applies when an offender intends to cause that damage or acts recklessly about whether it will occur.

The official Section 3ZA legislation includes serious harm to human welfare, the environment, national security or a country’s economy. The potential penalties are therefore more severe than those for basic unauthorised access offences.

Prosecutors believe Jubair and Flowers are the first hackers successfully prosecuted under this section. The NCA separately described the proceedings as only the second UK criminal prosecution of its kind, highlighting how rarely the provision has been used.

Potential Economic Damage Could Have Been Far Greater

The confirmed cost to TfL was about £29 million. That figure covered direct losses, restoration work and recovery expenses following the attack.

Authorities said a successful shutdown of London’s transport network could have caused losses of up to £56 billion across the wider UK economy. This was a risk estimate, not damage that actually occurred.

TfL’s response kept safety-critical systems operating and prevented the incident from stopping transport services. Its public incident update says safety-critical processes were maintained throughout the response.

Cybersecurity Lessons for Critical Infrastructure Operators

The prosecution shows how an attack on business systems can create risks for public services even when operational transport systems remain available. Identity management, customer databases, payment services and employee access can all become points of disruption.

Organisations should ensure that emergency access procedures do not depend entirely on the systems that may be affected during an attack. Tested offline processes can help maintain critical functions while networks are contained and restored.

The case also demonstrates the importance of reporting attacks quickly. TfL contacted law enforcement early, allowing investigators to preserve evidence and coordinate with international partners.

  • Require strong identity checks for help-desk password resets.
  • Use phishing-resistant multifactor authentication for privileged accounts.
  • Separate critical operational systems from corporate and customer networks.
  • Maintain tested offline recovery plans and secure backups.
  • Monitor remote access tools, unusual account changes and mass authentication failures.
  • Preserve logs and contact law enforcement promptly after detecting an intrusion.
  • Review obligations under Section 3ZA of the Computer Misuse Act when assessing serious cyber incidents.

FAQ

Who was jailed for the Transport for London cyberattack?

Thalha Jubair and Owen Flowers were each sentenced to five years and six months in prison for their roles in the 2024 TfL cyberattack.

How many TfL systems were disabled by the attack?

The attack made 148 TfL systems inoperable. Some critical functions required manual workarounds while systems were restored.

How much did the TfL cyberattack cost?

TfL reported approximately £29 million in losses and recovery costs. Authorities estimated that a complete transport network shutdown could have caused much greater economic damage.

Was customer data accessed during the TfL cyberattack?

Yes. TfL said certain customer information was accessed, including names, contact details and some data connected to Oyster refunds. TfL has found no evidence that the information was misused.

What is Scattered Spider?

Scattered Spider is a loosely organised cybercrime collective associated with social engineering, credential theft, SIM swapping, network intrusions and data extortion.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages