Key Takeaways
- Thalha Jubair (20) and Owen Flowers (18) pleaded guilty to breaching Transport for London systems in September 2024
- The attack caused £29 million in damages and forced 28,000 employees to reset passwords in person
- Flowers has also been linked to intrusions at two American healthcare organizations
Two members of the Scattered Spider cybercrime group pleaded guilty on the first day of their trial to hacking Transport for London's systems in September 2024. The attack caused £29 million ($38.3 million) in financial damage to the UK's largest public transit operator.
Thalha Jubair, 20, and Owen Flowers, 18, changed their pleas at Woolwich Crown Court after initially denying involvement. The pair breached TfL infrastructure between August 31 and September 3, 2024, accessing customer data and disrupting refund services for days.
Sentencing is scheduled for July 16. Both face potential prison time for compromising what the National Crime Agency calls "a key part of the UK's critical national infrastructure."
What did investigators find?
The NCA seized multiple devices from Flowers' home containing damning evidence. A laptop showed a screenshot proving connectivity to TfL infrastructure. Investigators also found evidence of access to a marketplace selling stolen credentials, and videos showing Jubair breaching TfL systems. The two communicated via Telegram and a shared online collaboration platform during the intrusion.
Flowers was first arrested on September 12, 2024, the same day TfL admitted customer data had been stolen. He breached his bail conditions twice, in March and May 2025. Both hackers were arrested again on September 18, 2025, after investigators retrieved additional incriminating evidence extending beyond the TfL attack.
How severe was the TfL breach?
The attack hit TfL on September 2, 2024, causing operational disruptions that lasted for days. Attackers accessed the Oyster refunds system and delayed refunds for customers. The £29 million damage figure includes remediation costs and operational losses.
“The attack caused millions of pounds in losses to a key part of the UK's critical national infrastructure, and was a significant inconvenience for customers. Today's result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organization to please do the same in such circumstances.”
— Paul Foster, NCA Deputy Director
TfL serves millions of passengers daily across London's tube, bus, and rail networks. The forced password reset for all 28,000 employees, requiring in-person visits to local offices, gives a sense of the operational chaos the breach caused.
Who is Scattered Spider?
Scattered Spider, also tracked as UNC3944 and Octo Tempest, is a cybercriminal collective known for sophisticated social engineering attacks. The group consists primarily of young, English-speaking hackers from the US and UK. They gained notoriety for high-profile attacks on MGM Resorts and Caesars Entertainment in 2023.
The group typically targets IT help desks using phone-based social engineering to bypass multi-factor authentication. Their youth and native English fluency make them unusually effective at impersonating employees and tricking support staff into granting access.
Flowers has been linked to intrusions beyond TfL. Authorities connected him to breaches at SSM Health Care Corporation and Sutter Health, both American healthcare organizations. These additional charges may factor into his sentencing.
What happens next?
The trial was originally scheduled to begin June 22, but the guilty pleas changed the timeline. Both defendants now await sentencing on July 16. Given the scale of financial damage and the involvement with foreign healthcare breaches, prosecutors will likely push for custodial sentences.
The NCA's public praise for TfL's early engagement with law enforcement signals a broader message to UK organizations: report breaches quickly, cooperate fully, and the government will prioritize prosecution. Whether that message lands with the private sector, which often fears reputational damage from disclosure, remains to be seen.
Frequently Asked Questions
What is Scattered Spider?
Scattered Spider is a cybercriminal group of young, English-speaking hackers from the US and UK, known for social engineering attacks on major organizations including MGM Resorts, Caesars Entertainment, and Transport for London.
How much damage did the TfL hack cause?
The Transport for London cyberattack caused £29 million ($38.3 million) in financial damage and forced all 28,000 employees to reset their passwords in person at local offices.
When will the Scattered Spider hackers be sentenced?
Thalha Jubair and Owen Flowers are scheduled to be sentenced on July 16, 2026, at Woolwich Crown Court.
What data was stolen in the TfL breach?
Attackers accessed TfL's Oyster refunds system and customer data. TfL confirmed on September 12, 2024, that customer data had been stolen in the attack.
Logicity's Take
The age of these hackers, 18 and 20, underscores an uncomfortable reality: some of the most damaging cyberattacks on critical infrastructure come from teenagers with social engineering skills and time on their hands. The NCA's emphasis on TfL's early cooperation suggests UK authorities are trying to shift organizational culture around breach disclosure. But the real question is whether sentences for young offenders will deter others, or whether Scattered Spider's decentralized structure means the group simply absorbs the loss and continues operating.
Need Help Implementing This?
If your organization needs to strengthen defenses against social engineering attacks or improve incident response planning, Logicity can connect you with vetted cybersecurity consultants. Contact our team for recommendations tailored to your infrastructure and threat profile.
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
