Scattered Spider duo plead guilty to 2024 TfL hack

Two individuals linked to the Scattered Spider cybercrime collective have admitted to compromising Transport for London’s (TfL) infrastructure in late 2024, resulting in significant operational and financial consequences for the UK’s largest public transport network.

The breach, which occurred over a four-day period in late August and early September 2024, targeted TfL’s Oyster refund system. This disruption delayed customer refunds and exposed sensitive data, affecting millions of daily commuters. The incident also forced TfL to implement mass password resets for its 28,000 employees, requiring in-person verification at local offices.

What happened

Thalha Jubair, 20, and Owen Flowers, 18, initially denied involvement in the attack but changed their pleas to guilty on the first day of proceedings at Woolwich Crown Court on 23 June 2026. Both were arrested on 18 September 2025 following an investigation by the UK’s National Crime Agency (NCA), which uncovered evidence linking them to the breach. This included a laptop seized from Flowers’ residence, containing screenshots of TfL’s internal systems, records of stolen credential purchases, and videos of Jubair accessing the network.

The attackers used Telegram and a shared online collaboration platform to coordinate their activities. The NCA confirmed that the breach resulted in £29 million ($38.3 million) in financial losses for TfL, including remediation costs and operational disruptions. TfL publicly acknowledged the data theft on 12 September 2024, the same day Flowers was initially arrested as a suspect. The NCA later stated that the attack had broader implications for the UK’s critical national infrastructure, describing it as a "significant inconvenience for customers."

Broader implications

The case highlights the vulnerabilities in public-sector digital infrastructure, particularly for organizations managing critical services. The NCA emphasized the importance of early collaboration with law enforcement, noting that TfL’s prompt engagement was instrumental in securing convictions. Deputy Director Paul Foster urged other organizations to follow suit, stating that such cooperation is vital for mitigating the impact of cyberattacks.

Beyond TfL, authorities have linked Flowers to breaches at two US healthcare providers, SSM Health Care Corporation and Sutter Health. These incidents suggest a pattern of targeting high-value, data-rich environments. The NCA’s investigation also revealed that Flowers violated bail conditions twice in 2025, once in March and again in May, further complicating the legal proceedings.

What to watch

The sentencing of Jubair and Flowers is scheduled for 16 July 2026. While the guilty pleas have resolved the immediate legal proceedings, the case may prompt renewed scrutiny of cybersecurity practices in public transport and other critical infrastructure sectors. Organizations may face increased pressure to adopt proactive measures, such as breach and attack simulation tools, to identify and address vulnerabilities before they are exploited by malicious actors.

For professionals in the hosting and cloud infrastructure space, the incident underscores the need for robust access controls, multi-factor authentication, and continuous monitoring of high-risk systems. The use of stolen credentials in this attack also highlights the importance of credential hygiene and the risks posed by underground marketplaces trading in compromised access.