Two members of the cybercriminal group Scattered Spider have admitted to orchestrating a cyberattack on Transport for London (TfL) that led to significant service disruptions and financial losses estimated at £29 million.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, confessed to infiltrating TfL’s internal network between August 31 and September 3, 2024. This breach compromised critical systems, necessitating emergency remediation measures across the organization’s infrastructure.
Investigations by the UK’s National Crime Agency (NCA) and the City of London Police (COLP) revealed that the attackers’ unauthorized access prompted a comprehensive password reset for approximately 28,000 employees. Staff were required to physically visit offices to reauthenticate, underscoring the severity of the security breach and the erosion of trust in internal identity systems.
The cyberattack also disrupted TfL’s Oyster card refund system, delaying customer reimbursements and temporarily halting the Oyster photocard application process used by children and young people. While the full extent of data exposure remains undisclosed, the operational impact significantly affected public services and customer experience.
Investigation and Evidence
Digital forensics played a pivotal role in the investigation. Upon Flowers’ arrest on September 6, 2024, authorities seized multiple devices, including laptops, external drives, and USB storage. An Acer laptop contained a screenshot indicating active connectivity to TfL’s infrastructure, providing direct evidence of unauthorized access.
Further analysis revealed that Flowers had utilized online marketplaces to acquire compromised credentials, suggesting that credential-based intrusion techniques were employed during the attack. Additionally, recorded videos showed Jubair actively navigating TfL systems during the breach. The pair coordinated via Telegram and other online tools, indicating a structured, real-time execution of the attack.
Investigators also linked Flowers to intrusions targeting U.S. healthcare organizations, including SSM Health Care Corporation and Sutter Health, demonstrating the group’s broader international targeting footprint. This aligns with known Scattered Spider tactics, which often involve social engineering, credential theft, and targeting large enterprises and critical infrastructure.
Flowers was released on bail but violated conditions twice in 2025, raising concerns about continued risk behavior during the investigation period. Both individuals, who were due to stand trial at Woolwich Crown Court, pleaded guilty at the start of proceedings and are scheduled to be sentenced on July 16, 2026.
Law enforcement officials emphasized the real-world impact of cybercrime, particularly when targeting critical infrastructure. The case underscores the necessity for robust cybersecurity measures and the importance of vigilance against social engineering tactics employed by groups like Scattered Spider.
