Two hackers have pleaded guilty to orchestrating a cyber attack on Transport for London (TfL) that resulted in £39 million in losses, the National Crime Agency (NCA) confirmed. Thalha Jubair, 20, and Owen Flowers, 18, infiltrated TfL's network between August 29 and September 6, 2024, causing significant disruption and forcing 28,000 employees to reset their passwords.
Details of the Attack
The breach compromised the Oyster refund system, leading to delays in customer refunds and the suspension of applications for Oyster photocards for children and young people. The NCA stated that the attackers accessed sensitive data, though no financial or banking details were compromised. The pair were members of the cybercrime group Scattered Spider, which has been linked to attacks on Jaguar Land Rover and retailers like Marks and Spencer.
Court Proceedings
Jubair and Flowers initially denied conspiring to commit unauthorized acts but changed their pleas to guilty at Woolwich Crown Court on Monday, just before their trial was due to begin. Flowers, from Walsall, West Midlands, also admitted to targeting US healthcare firms, including conspiring to attack SSM Health Care Corporation and attempting to attack Sutter Health. Investigators found electronic devices at Flowers' home containing evidence of the TfL hack, including a laptop with a screenshot showing connectivity to TfL's infrastructure and videos of Jubair accessing TfL systems.
Investigation Findings
The NCA revealed that the pair communicated via Telegram and collaborated through a shared online workspace. Jubair, from Tower Hamlets, east London, faced an additional charge under the Regulation of Investigatory Powers Act for failing to disclose device passwords, but this was left to lie on the file. Deputy Director Paul Foster, head of the NCA's national cyber crime unit, emphasized the real-world impact of cyber crime, stating: "The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure and was a significant inconvenience for customers."
Sentencing and Implications
The pair will be sentenced at Woolwich Crown Court on July 15 and 16. Foster urged organizations to engage with law enforcement early in such incidents, noting that the profile of these offenders highlights the growing threat from UK-based cyber criminals. The case underscores the disruptive potential of cyber attacks on critical infrastructure and the importance of robust cybersecurity measures.
