Two British cybercriminals have pleaded guilty to a cyber-attack on Transport for London (TfL) in 2024 that cost £39 million and affected 10 million people. Thalha Jubair, 20, and Owen Flowers, 18, admitted offences under the Computer Misuse Act at Woolwich Crown Court on Monday. The pair are linked to the Scattered Spider hacking group, which the National Crime Agency (NCA) says is responsible for several recent attacks.
The attack took place between 29 August and 3 September 2024, disrupting live tube arrival information on the TfL Go app and website, and preventing payment processing on Oyster and contactless apps. TfL said it emailed over 7 million customers in September 2024 to inform them that some customer data may have been taken. The BBC reported that 10 million TfL customers had their data stolen.
Jubair, of Bow in east London, and Flowers, of Walsall in the West Midlands, both admitted conspiring to commit unauthorised acts against TfL computer systems, causing risk of serious damage to human welfare. Flowers also admitted hacking two US healthcare companies: SSM Health Care Corporation and attempting to hack Sutter Health. The pair entered their pleas on the first day of what was due to be a six-week trial.
Mr Justice Turner remanded both defendants in custody ahead of a sentencing hearing on 15 July. Jubair has also been accused by the US Department of Justice of involvement in cyber-attacks targeting 47 US organisations that garnered over $100 million in ransom payments. Flowers denied two further hacking charges, which were ordered to lie on file.
Paul Foster, head of the NCA’s national cyber crime unit, said the incident underlined the growing threat from homegrown hackers. “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the UK and other English-speaking countries, epitomised by Scattered Spider,” he said. Investigators found devices at Flowers’ home containing evidence of the attack, including a screenshot showing network connectivity to TfL infrastructure and videos of Jubair accessing TfL systems.
Both defendants have been diagnosed with autism, and Jubair also has depression and a severe mood disorder. Jubair has been convicted of 22 offences, including 13 cou
