Two young men have admitted their involvement in a cyber attack that cost Transport for London (TfL) an estimated £39 million and caused widespread disruption, the National Crime Agency (NCA) has confirmed.
Thalha Jubair, 20, and Owen Flowers, 18, targeted TfL’s network between 29 August and 6 September 2024.
The breach necessitated a password reset for 28,000 employees.
The attack meant data from the Oyster refund system was compromised, customer refunds were delayed, and the suspension of applications for children and young people’s Oyster photocards.
The defendants were identified as members of Scattered Spider, a criminal hacking collective linked to other high-profile cyber incidents affecting companies such as Jaguar Land Rover and retailers including Marks and Spencer.
Initially denying charges of conspiring to commit unauthorised acts related to the attack, both individuals changed their pleas to guilty at Woolwich Crown Court on Monday, just before their trial was scheduled to commence.
Flowers, of Walsall, West Midlands, who was first arrested over the TfL attack in September 2024 and then arrested again in September last year, also admitted targeting US healthcare firms.
He pleaded guilty to conspiring with others to commit unauthorised acts against SSM Health Care Corporation and attempting to commit unauthorised acts against Sutter Health.
Investigators found a range of electronic devices at Flowers’ home, including laptops, computers, hard drives and USB sticks, the NCA said.
They found one laptop included a screenshot showing connectivity to TfL’s infrastructure while evidence he accessed an online tool selling breached credentials was also discovered.
Officers also found videos recorded by Flowers that showed Jubair accessing TfL systems during the attack, the NCA said.
The investigation found the pair were messaging through Telegram and collaborating via a shared online workspace.
Jubair, from Tower Hamlets, east London, faced an additional charge under the Regulation of Investigatory Powers Act of failing to disclose the Pin or passwords of his devices, which he denied, but that was left to lie on the file.
Deputy director Paul Foster, head of the NCA’s national cyber crime unit, said: “Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public.
“The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure and was a significant inconvenience for customers.
“Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances.
“The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider.
“This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”
The pair will be sentenced at the same court on July 15 and 16.
Andy Lord, London’s transport commissioner, said: “We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now pleaded guilty.
“The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL.
“We thank the hard work of our staff and of the National Crime Agency and partners for their investigations into this incident.”
