Scattered Spider Hackers Jailed for TfL Cyberattack That Disabled 148 Systems
Two Scattered Spider hackers have each been sentenced to five years and six months in prison for the 2024 cyberattack on Transport for London. The breach disabled 148 systems, forced 27,000 employees to reset their passwords in person and caused about £29 million in losses and recovery costs.
Thalha Jubair, from East London, and Owen Flowers, from Walsall, received their sentences at Woolwich Crown Court on July 16, 2026. The National Crime Agency sentencing announcement described the case as the largest cybercrime prosecution brought before UK courts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Both defendants pleaded guilty on June 22, the day their trial was due to begin. They admitted one offence under Section 3ZA of the Computer Misuse Act 1990, based on being reckless about whether their actions caused or created a significant risk of serious damage to human welfare.
Key Facts About the TfL Cyberattack
| Case detail | Confirmed information |
|---|---|
| Defendants | Thalha Jubair and Owen Flowers |
| Attack period | August 31 to September 3, 2024 |
| Sentence | Five years and six months each |
| Systems disabled | 148 TfL systems |
| Employees affected | 27,000 staff required in-person password resets |
| Financial impact | Approximately £29 million in losses and recovery costs |
| Cybercrime group | Scattered Spider |
The attackers infiltrated TfL’s computer network between August 31 and September 3, 2024. TfL detected suspicious activity on September 1 and restricted access to parts of its environment to protect safety-critical systems.
The organisation’s rapid containment prevented the attack from shutting down London’s transport network. Underground, bus and rail services continued operating, but many customer-facing and administrative services were disrupted.
The Crown Prosecution Service case summary said TfL had to disconnect parts of its own network to prevent wider damage. Prosecutors said messages between the defendants suggested they had discussed destroying or removing access to systems.
Which TfL Services Were Disrupted?
The cyberattack affected services used by passengers, employees and vulnerable Londoners. Some systems became unavailable, while others had to operate through manual procedures.
Dial-a-Ride booking services were disrupted. This service provides transport for people who cannot easily use buses, trains or the London Underground because of a disability or long-term health condition.
The incident also affected Oyster refunds, concessionary travel cards, digital payment channels and applications for children’s and young people’s Oyster photocards. A planned extension of contactless ticketing was delayed.
| Affected area | Reported impact |
|---|---|
| Employee access | All 27,000 employees had to attend a TfL office to reset their passwords |
| Oyster refunds | Customers experienced longer refund delays |
| Photocard applications | Applications for children and young people were temporarily unavailable |
| Dial-a-Ride | Booking services for vulnerable passengers were disrupted |
| Critical systems | Staff used manual workarounds to maintain important operations |
| Contactless ticketing | A planned expansion was delayed |
Customer Data Was Accessed
TfL confirmed that the attackers accessed certain customer information. The affected data included some names, contact details and information connected to Oyster card refunds.
In its updated cybersecurity incident notice, TfL said it contacted affected customers and notified the Information Commissioner’s Office. The regulator closed the matter in February 2025 without taking action against TfL.
TfL has said it found no evidence that information accessed during the attack was subsequently misused. Customers should still be cautious about unexpected messages claiming to relate to Oyster accounts, refunds or compromised personal data.
How Investigators Linked the Hackers to the Attack
Investigators seized laptops, computer towers, hard drives and USB devices from Flowers. One laptop contained a screenshot showing a connection to TfL infrastructure.
The same device held videos recorded during the attack that showed Jubair accessing TfL systems, according to the NCA investigation account. Investigators also recovered Telegram conversations and evidence that the pair used a shared online workspace.
Evidence connecting Jubair to the intrusion was also obtained from overseas. The CPS sentencing release said cooperation between British and international authorities helped prosecutors attribute the attack.
- A screenshot showed network connectivity to TfL infrastructure.
- Videos showed Jubair accessing TfL systems during the incident.
- Telegram messages documented communication between the defendants.
- A shared remote workspace supported their joint activity.
- Overseas evidence helped link Jubair to the attack.
Flowers Also Targeted US Healthcare Organisations
Flowers admitted separate offences connected to attacks against SSM Health and Sutter Health, two US healthcare organisations. Authorities encountered this activity while investigating his role in the TfL attack.
He pleaded guilty to two offences under Section 3 of the Computer Misuse Act in connection with a conspiracy and attempt to impair the healthcare organisations’ computer systems.
Flowers was later arrested again after breaching bail conditions concerning his use of electronic devices. Jubair was separately charged with failing to provide PINs or passwords for devices seized from him.
Scattered Spider’s Role in the TfL Attack
The NCA identified Jubair and Flowers as leading members of Scattered Spider, a loosely organised cybercrime collective associated with social engineering, credential theft, SIM swapping and data extortion.
Scattered Spider is known for targeting employees and help desks rather than relying only on technical exploits. Attackers linked to the name often impersonate staff members, manipulate support personnel and attempt to bypass multifactor authentication.
The NCA said the investigation and arrests severely disrupted the group’s activity. However, Scattered Spider operates as a decentralised collective, and other criminals may continue using the name or similar methods.
Why the Section 3ZA Convictions Matter
Section 3ZA covers unauthorised computer activity that causes or creates a significant risk of serious material damage. It applies when an offender intends to cause that damage or acts recklessly about whether it will occur.
The official Section 3ZA legislation includes serious harm to human welfare, the environment, national security or a country’s economy. The potential penalties are therefore more severe than those for basic unauthorised access offences.
Prosecutors believe Jubair and Flowers are the first hackers successfully prosecuted under this section. The NCA separately described the proceedings as only the second UK criminal prosecution of its kind, highlighting how rarely the provision has been used.
Potential Economic Damage Could Have Been Far Greater
The confirmed cost to TfL was about £29 million. That figure covered direct losses, restoration work and recovery expenses following the attack.
Authorities said a successful shutdown of London’s transport network could have caused losses of up to £56 billion across the wider UK economy. This was a risk estimate, not damage that actually occurred.
TfL’s response kept safety-critical systems operating and prevented the incident from stopping transport services. Its public incident update says safety-critical processes were maintained throughout the response.
Cybersecurity Lessons for Critical Infrastructure Operators
The prosecution shows how an attack on business systems can create risks for public services even when operational transport systems remain available. Identity management, customer databases, payment services and employee access can all become points of disruption.
Organisations should ensure that emergency access procedures do not depend entirely on the systems that may be affected during an attack. Tested offline processes can help maintain critical functions while networks are contained and restored.
The case also demonstrates the importance of reporting attacks quickly. TfL contacted law enforcement early, allowing investigators to preserve evidence and coordinate with international partners.
- Require strong identity checks for help-desk password resets.
- Use phishing-resistant multifactor authentication for privileged accounts.
- Separate critical operational systems from corporate and customer networks.
- Maintain tested offline recovery plans and secure backups.
- Monitor remote access tools, unusual account changes and mass authentication failures.
- Preserve logs and contact law enforcement promptly after detecting an intrusion.
- Review obligations under Section 3ZA of the Computer Misuse Act when assessing serious cyber incidents.
FAQ
Thalha Jubair and Owen Flowers were each sentenced to five years and six months in prison for their roles in the 2024 TfL cyberattack.
The attack made 148 TfL systems inoperable. Some critical functions required manual workarounds while systems were restored.
TfL reported approximately £29 million in losses and recovery costs. Authorities estimated that a complete transport network shutdown could have caused much greater economic damage.
Yes. TfL said certain customer information was accessed, including names, contact details and some data connected to Oyster refunds. TfL has found no evidence that the information was misused.
Scattered Spider is a loosely organised cybercrime collective associated with social engineering, credential theft, SIM swapping, network intrusions and data extortion.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages