Secure Bulletin Navigating the cyber sea with knowledge
Home > Articolo > Scattered Spider Duo Sentenced Over £29 Million Transport for London Cyberattack
Scattered Spider Duo Sentenced Over £29 Million Transport for London Cyberattack
Read Time:3 Minute, 41 Second

Two young members of the Scattered Spider cybercrime collective are heading to prison for a 2024 attack that crippled 148 Transport for London (TfL) systems, forced all 27,000 TfL staff to reset their passwords in person, and left the transit authority with a bill of roughly £29 million. Prosecutors have described the case as the largest cybercrime prosecution ever brought before courts in the United Kingdom.

Guilty Pleas and Sentencing

Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, each entered guilty pleas back on June 22, 2026. On July 16, Woolwich Crown Court sentenced both men to five years and six months in prison. The charges fell under Section 3ZA of the UK’s Computer Misuse Act, the statute’s most serious offense category, reserved for unauthorized computer access that causes or risks causing serious damage.

Three Days That Disrupted a City’s Transit System

The intrusion itself took place between August 31 and September 3, 2024, when the pair broke into TfL’s internal network. TfL’s incident response team managed to contain the most severe potential outcomes, but the disruption to public-facing services was still substantial. Dial-a-Ride transport for vulnerable Londoners, concessionary travel card processing, digital payment systems, Oyster card refunds, and the online application process for children’s Oyster photocards were all knocked offline or degraded. Plans to expand contactless ticketing were also delayed as a direct result.

Every one of TfL’s 27,000 employees had to physically report to an office location to reset their passwords, since the breach ruled out doing so remotely or digitally. Several critical internal systems required manual, non-digital workarounds to keep functioning. Data held within the Oyster refunds system was accessed by the attackers, leaving some customers facing longer waits to get their money back. TfL formally reported the incident through the City of London Police’s Action Fraud reporting channel.

A Near-Miss on a Much Larger Scale

Investigators involved in the case assessed that, had the attack escalated into a full shutdown of London’s transport network, the broader economic damage to the UK could have reached as high as £56 billion, an estimate that puts the actual outcome in useful perspective: swift containment work likely prevented a far more damaging scenario.

Who Are Scattered Spider, and How Were They Caught

Jubair and Flowers were identified as leading figures within Scattered Spider, a loosely organized cybercrime group known for social engineering attacks, SIM-swapping schemes, and data extortion campaigns targeting large organizations. The National Crime Agency (NCA), working alongside City of London Police, tracked down both men in the wake of the TfL breach and arrested them at their homes on September 16, 2024.

Digital forensics proved decisive. Devices seized from Flowers, including laptops, desktop towers, external hard drives, and USB storage sticks, contained a screenshot showing an active connection into TfL’s infrastructure, along with video recordings of Jubair operating inside TfL’s systems during the attack itself. Investigators also found that the pair coordinated over Telegram and shared access to a common remote virtual workspace.

Flowers’ activity wasn’t limited to TfL: he was separately found to have targeted US healthcare organizations SSM Health and Sutter Health. He was later rearrested after breaching the terms of his bail by using a prohibited device, while Jubair faced an additional charge for refusing to hand over device PINs and passwords to investigators.

Industry and Government Reaction

Microsoft’s threat intelligence team assessed that these arrests have materially weakened Scattered Spider’s operational capacity, though the company cautioned that other actors could still adopt the group’s name and tactics going forward.

  • NCA Deputy Director Paul Foster described the case as the largest cybercrime prosecution ever brought before UK courts, and urged organizations facing similar attacks to involve law enforcement early rather than trying to manage incidents entirely in-house.
  • City of London Police Commander Ollie Shaw pointed to proposed Cyber Crime Risk Orders, effectively a form of “digital prison” that would let courts impose device and technology restrictions on high-risk offenders after release.
  • Security Minister Dame Angela Eagle and TfL Commissioner Andy Lord both commended the investigative work and emphasized the continued need for stronger cyber resilience across critical infrastructure operators.

The FBI’s Cyber Division separately noted that Scattered Spider has a well-documented pattern of using extortion and social engineering to target critical services, underscoring that this case, however significant, is unlikely to be the group’s last chapter.

Share: Twitter  |  Facebook  |  LinkedIn
Join the discussion

This is a blog in the Fediverse: you can find this article everywhere with @blog@securebulletin.com and every comment/answer will appear here.

If you want to comment on Scattered Spider Duo Sentenced Over £29 Million Transport for London Cyberattack, use the discussion on Forum.

>> forum community

Comments

Leave a Reply