Scattered Spider Hackers Who Breached Transport for London Plead Guilty
6 min. read 
Published on
Two young men linked to the Scattered Spider cybercrime group have pleaded guilty to hacking Transport for London in an attack that disrupted digital services, exposed some customer data, and cost the transport authority a reported £29 million in losses and recovery costs.
The National Crime Agency said Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, admitted their roles after TfL’s network was infiltrated between August 31 and September 3, 2024.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The pair were due to stand trial at Woolwich Crown Court on June 22, 2026, but changed their pleas to guilty on the first day of proceedings. TfL says two people charged over the incident pleaded guilty on June 22, according to its cyber security incident update.
What happened in the TfL cyberattack?
The attack forced TfL to reset credentials for around 28,000 employees. Staff had to attend TfL offices to complete the reset, a sign that the organization had lost confidence in parts of its internal identity environment.
The breach also affected customer-facing services. Data from the Oyster refunds system was accessed, and the customer refund system was disrupted. The application system for Oyster photocards for children and young people was also temporarily closed.
TfL said it identified suspicious activity on September 1, 2024, and took action to limit access while keeping safety-critical systems and processes running. The transport authority later said certain customer data, including names and contact details for some customers, had been accessed.
| Case detail | What is known |
|---|---|
| Defendants | Thalha Jubair and Owen Flowers |
| Group link | Scattered Spider |
| Attack window | August 31 to September 3, 2024 |
| Affected organization | Transport for London |
| Reported cost | £29 million in losses and recovery costs |
| Sentencing | Expected in mid-July 2026 |
Evidence linked the defendants to TfL systems
Investigators from the NCA and City of London Police recovered several devices during the case. One Acer laptop contained a screenshot showing network connectivity to TfL infrastructure.
Authorities also found videos recorded by Flowers that showed Jubair accessing TfL systems during the attack. The pair communicated through Telegram and an online collaboration tool while the intrusion was underway.
The NCA said Flowers had accessed an online tool selling breached credentials. Investigators also linked him to intrusions involving US healthcare organizations SSM Health Care Corporation and Sutter Health.
Why Scattered Spider cases matter
Scattered Spider has become one of the most closely watched English-speaking cybercriminal groups because it often relies on social engineering, stolen credentials, help desk manipulation, and identity-system abuse rather than only technical exploits.
A joint Scattered Spider advisory from US, UK, Canadian, and Australian agencies says the group targets large companies and their contracted IT help desks. The advisory also describes tactics including phishing, smishing, push bombing, SIM swapping, remote access tools, and credential theft.
Those tactics match a broader shift in cybercrime. Attackers increasingly focus on identity systems and employee trust paths because one successful login can open access to internal systems, cloud platforms, support tools, and sensitive customer data.
- Scattered Spider actors often impersonate employees or IT help desk staff.
- They may use stolen credentials bought from criminal marketplaces.
- They may target multi-factor authentication reset processes.
- They often use legitimate remote access tools after gaining entry.
- They may monitor internal communications to follow incident response activity.
TfL says safety-critical services were maintained
TfL has said it acted quickly after identifying suspicious activity and maintained safety-critical systems. The organization also notified the Information Commissioner’s Office after discovering that some customer data had been accessed.
According to the TfL incident notice, the ICO confirmed on February 13, 2025, that it would not take regulatory action against TfL and considered the matter closed.
TfL also said it currently has no evidence that information accessed during the incident has been misused. Even so, the breach caused real disruption for customers and staff, especially around refunds, Oyster services, and internal account resets.
Law enforcement highlights early reporting
Paul Foster, deputy director and head of the NCA’s National Cyber Crime Unit, said the case showed how cybercrime can have direct public consequences when critical infrastructure is targeted.
The NCA case summary also credited TfL’s early engagement with law enforcement as an important part of the investigation. City of London Police said the attack caused major disruption and affected essential public services.
The case comes amid continued warnings that young English-speaking cybercriminals are taking part in organized intrusion groups. For public bodies and large enterprises, that makes identity security, help desk controls, and incident-reporting procedures more important than ever.
| Security area | Recommended focus | Why it matters |
|---|---|---|
| Identity security | Monitor password resets, MFA changes, and new device registrations | Scattered Spider often targets account access paths |
| Help desk process | Verify callers through strong, out-of-band checks | Social engineering can bypass weak support workflows |
| Credential monitoring | Watch for breached passwords and suspicious login attempts | Criminals may buy or reuse stolen credentials |
| Incident response | Report serious intrusions early and preserve evidence | Early law enforcement cooperation can support investigation and recovery |
What organizations can learn from the TfL breach
The TfL case shows that a cyberattack does not need to stop trains or buses to cause serious harm. Disrupted refund systems, account resets, customer notifications, recovery work, and staff disruption can create major operational and financial costs.
Organizations should review whether attackers could trick support teams into resetting credentials, registering MFA devices, or granting remote access. They should also rehearse how they would recover if internal identity systems could no longer be trusted.
The latest Scattered Spider guidance recommends reducing the likelihood and impact of this kind of activity through stronger identity controls, phishing-resistant authentication, tighter remote access rules, and better monitoring of legitimate tools used in suspicious ways.
FAQ
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, pleaded guilty after TfL’s network was infiltrated between August 31 and September 3, 2024.
Scattered Spider is an English-speaking cybercriminal group known for social engineering, credential theft, help desk impersonation, SIM swapping, MFA abuse, and attacks on large organizations.
The National Crime Agency said Transport for London suffered a reported £29 million in losses and recovery costs after the cyberattack.
TfL said certain customer data was accessed, including names and contact details for some customers. TfL also said it has no evidence that the accessed information has been misused.
TfL said it took action to limit access and maintained safety-critical systems and processes after identifying suspicious activity.
Sentencing is expected in mid-July 2026. Official sources differ slightly on the exact date, with TfL listing July 15 and the National Crime Agency listing July 16.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages