Two men have admitted their role in a cyber attack that inflicted an estimated £39 million in losses on Transport for London (TfL) and disrupted services for millions of passengers, the National Crime Agency (NCA) has confirmed.
Thalha Jubair, 20, from Tower Hamlets, east London, and Owen Flowers, 18, from Walsall, West Midlands, changed their pleas to guilty at Woolwich Crown Court on Monday, just before their trial was due to begin. They had originally denied conspiring to commit unauthorised acts against TfL’s computer systems. The pair will be sentenced at the same court on 15 and 16 July 2026.
The breach, which targeted TfL’s network between 29 August and 6 September 2024, forced a password reset for 28,000 employees and compromised data from the Oyster refund system, including bank details. Customer refunds were delayed, and applications for children and young people’s Oyster photocards were suspended. TfL was also unable to process payments on its Oyster and contactless apps, register Oyster cards to customer accounts, or issue refunds for incomplete pay-as-you-go journeys made using contactless cards. Live Tube arrival information vanished from the TfL Go app and the website, and development projects — including the rollout of pay-as-you-go contactless travel to railway stations outside London — were slowed.
The scale of the impact on customers was enormous. While TfL initially said “some” customers were affected, the organisation later emailed more than seven million passengers to inform them about the incident, and approximately 10 million customers are believed to have had their data stolen. The stolen information included names, email addresses, home phone numbers, mobile phone numbers and physical addresses. Investigators from the NCA found that the initial access to TfL’s systems was achieved through social engineering — not through a third-party software vulnerability — and that the attackers used Telegram messaging and a shared online workspace to collaborate.
At Flowers’ home, officers seized laptops, computers, hard drives and USB sticks. One laptop contained a screenshot showing connectivity to TfL’s infrastructure, along with evidence that he had accessed an online tool selling breached credentials. The NCA also said officers found videos recorded by Flowers that showed Jubair accessing TfL systems during the attack.
The hacker collective behind the attack
Both men are members of Scattered Spider, a criminal hacking collective that has been linked to a string of high-profile incidents targeting companies such as Jaguar Land Rover, Marks and Spencer, Caesars Entertainment, MGM Resorts International, Qantas, Harrods, and the Co-op Group. The group is also known by several other names, including UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest and 0ktapus.
Scattered Spider is believed to consist predominantly of young, English-speaking individuals from the United States and the United Kingdom, many of them teenagers or young adults. Authorities estimate the group may have as many as 1,000 members. Their modus operandi relies on advanced social engineering tactics — phishing, smishing and the use of victim-specific crafted domains — and they have been linked to ransomware-as-a-service and data theft extortion.
Jubair has additionally been accused by the US Department of Justice of involvement in a series of cyber attacks targeting 47 American organisations, allegedly generating more than $100 million (£75 million) in ransom payments. Flowers, meanwhile, pleaded guilty to conspiring with others to commit unauthorised acts against SSM Health Care Corporation, a US healthcare firm, and to attempting to commit unauthorised acts against Sutter Health, another US healthcare provider.
The attack on SSM Health’s systems occurred via a data breach at Navvis, a healthcare management company that partners with SSM Health, between 12 and 25 July 2023. That breach potentially exposed health insurance policy numbers, account numbers and medical treatment details; a $6.5 million settlement was later agreed to resolve claims affecting approximately 2.8 million individuals. The Sutter Health breach, which impacted around 845,000 patients, happened in May 2023 through one of its vendors, Welltok (trading as Virgin Pulse), after vulnerabilities in the MOVEit Transfer server were exploited by a different hacking group, Clop.
Jubair faced an additional charge under the Regulation of Investigatory Powers Act 2000 (RIPA) for failing to disclose the PIN or passwords of his devices. He denied the charge, and it was left to lie on the file.
Deputy Director Paul Foster, head of the NCA’s national cyber crime unit, said: “Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public. The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure and was a significant inconvenience for customers. Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances. The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider. This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”
Andy Lord, London’s transport commissioner, said: “We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now pleaded guilty. The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL. We thank the hard work of our staff and of the National Crime Agency and partners for their investigations into this incident.”
