Hackers Jailed for TfL Cyberattack

Overview

Two young members of the Scattered Spider cybercrime group have been sentenced to prison for a 2024 cyberattack on Transport for London (TfL) that disrupted 148 systems, forced 27,000 staff to reset passwords in person, and cost the organization approximately £29 million.

The Attack

Between 31 August and 3 September 2024, Thalha Jubair (20, East London) and Owen Flowers (18, Walsall) infiltrated TfL’s network.

  • Public‑facing services were disrupted, including:
    • Dial‑a‑Ride for vulnerable Londoners.
    • Concessionary travel cards.
    • Digital payments and Oyster refunds.
    • Oyster photocard applications for children.
  • Expansion of contactless ticketing was delayed.
  • Data from the Oyster refunds system was accessed, leaving customers waiting longer for reimbursements.

All 27,000 TfL employees had to reset their passwords in person, and critical systems required manual workarounds.

Investigation & Evidence

  • Devices seized from Flowers contained:
    • Screenshots of connectivity to TfL infrastructure.
    • Videos of Jubair accessing TfL systems.
  • The pair coordinated via Telegram and a shared remote workspace.
  • Flowers was also linked to attacks on SSM Health and Sutter Health in the U.S.
  • Both were arrested on 16 September 2024.

Sentencing

On 16 July 2026, at Woolwich Crown Court, Jubair and Flowers were sentenced to five years and six months each under Section 3ZA of the Computer Misuse Act, covering unauthorized acts that cause or risk serious damage.

Investigators warned that a full transport network shutdown could have cost the UK economy up to £56 billion.

Wider Impact

  • Microsoft assessed that the arrests materially degraded Scattered Spider’s ability to operate, though others may still misuse the brand.
  • The case was described by the NCA Deputy Director Paul Foster as the largest cybercrime prosecution ever brought before UK courts.
  • City of London Police Commander Ollie Shaw highlighted proposed Cyber Crime Risk Orders, which could restrict offenders’ access to devices and technology — a form of “digital prison.”
  • Security Minister Dame Angela Eagle and TfL Commissioner Andy Lord praised the investigation and emphasized the need for stronger cyber resilience.
  • The FBI Cyber Division noted Scattered Spider’s repeated use of extortion and social engineering against critical services.

Expert in the Cloud Insight

This case illustrates the real‑world consequences of cybercrime: millions lost, critical services disrupted, and thousands of employees forced into manual recovery. It also shows how law enforcement collaboration across borders can dismantle high‑profile cybercrime groups. For organizations, the lesson is clear: invest in resilience, report incidents early, and prepare for the operational fallout of large‑scale attacks.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.