Transport for London (TfL) suffered an estimated loss of £39 million due to a cyber attack carried out by two individuals, confirmed by the National Crime Agency (NCA). Thalha Jubair, aged 20, and 18-year-old Owen Flowers targeted TfL's network from August 29 to September 6, 2024. The attack led to a significant breach requiring a password reset for 28,000 employees and resulted in the compromise of the Oyster refund system, causing delays in customer refunds.
Both men, affiliated with the hacking group Scattered Spider, initially pleaded not guilty but changed their pleas to guilty at Woolwich Crown Court just before their trial. Flowers, who is from Walsall, West Midlands, confessed to also targeting US healthcare firms, including SSM Health Care Corporation and Sutter Health.
During the investigation, law enforcement uncovered various electronic devices at Flowers' residence, with one laptop linking directly to TfL's infrastructure. Evidence showed that the two communicated via Telegram and worked together in a shared online space. Jubair faced an additional charge for not disclosing device passwords, which he denied, but that charge was left unresolved.