£39m Transport for London Cyber-Attack Ends in Guilty Pleas

A £39m Transport for London cyber-attack has become a guilty-plea case after two young Britons admitted offences linked to a breach that affected 10 million people and disrupted key TfL online systems.

Two Britons admit £39m Transport for London cyber-attack on first day of trial

Thalha Jubair, 20, and Owen Flowers, 18, changed their pleas at Woolwich crown court on Monday, admitting offences under the Computer Misuse Act tied to the 2024 cyber-attack on Transport for London, according to Guardian World.

The pair had been due to face a six-week trial. Instead, they pleaded guilty on day one and are due to be sentenced on 15 July.

The National Crime Agency said Jubair and Flowers were part of Scattered Spider, an online criminal collective that cybersecurity analysts have linked to a series of major intrusions. The Guardian reported that the group is suspected of carrying out several attacks in recent years.

TfL said the incident cost £39m. The BBC reported that the breach affected 10 million TfL customers, while TfL said it emailed more than 7 million customers in September 2024 “to inform them about the incident” and tell them that “some customer data may have been taken.”

The attack ran between 29 August and 3 September 2024, according to the Guardian. It blocked live Tube arrival information from appearing on the TfL Go app and the TfL website. TfL was also unable to process payments on the Oyster and contactless apps or register Oyster cards to customer accounts.

Flowers also admitted conspiring to commit unauthorised acts against computer systems belonging to SSM Health Care Corporation and attempting to commit unauthorised acts against systems belonging to Sutter Health, on or about 6 September 2024.

TfL breach turned a cyber intrusion into a public service problem

The Transport for London cyber-attack matters because TfL is not a narrow corporate target. It is the London mayor’s transport authority and handles up to 5m passenger journeys a day on the underground alone, according to the Guardian.

That means a system breach can spill quickly into daily life. In this case, customers lost access to live arrival information, payment processing was interrupted on Oyster and contactless apps, and Oyster card registration was disrupted.

The NCA said the hackers accessed TfL’s refunds system, leaving some customers out of pocket for much longer than usual. The attack also shut the application system for Oyster photocards for children and young people.

“Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public,” said Paul Foster, head of the NCA’s national cyber crime unit.

The £39m cost figure is the hard number TfL has put on the incident. The supplied reports do not break that sum down, so it would be unsafe to assign exact amounts to recovery, legal work, customer support, or operational disruption. But the operational symptoms are clear: TfL systems went offline, refunds slowed, apps stopped handling some functions, and customers had to be notified.

Investigators found laptops, hard drives and USB sticks at Flowers’ West Midlands home. One laptop contained a screenshot showing network connectivity to TfL infrastructure. It also held videos recorded by Flowers that showed Jubair accessing TfL systems during the attack, according to the NCA.

The pair used Telegram to communicate and also used an online tool that allowed multiple participants to work together remotely. The BBC reported that Flowers was found to have accessed an online tool selling breached credentials.

For readers tracking how cyber incidents move from technical flaws to real-world exposure, XOOMAR has also covered the 3-Day CISA Deadline Throws cPanel Plugin Flaw into Crisis and the Texas Data Breach Hands Hackers 3 Million ID Records. Those cases are separate, but they show why investigators and operators focus so heavily on access paths, disclosure timing, and exposed personal data.

Scattered Spider link puts UK-based hackers in the frame

The NCA said Flowers and Jubair were “members of the online criminal collective known as Scattered Spider.” That label matters because the agency framed the case as part of a shift in offender profile, not just another isolated intrusion.

“The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the UK and other English-speaking countries, epitomised by Scattered Spider,” Foster said.

The Guardian reported that high-profile hacks have typically been carried out by Russian-speaking hackers or attackers based in the former Soviet Union. The NCA’s point is that the TfL case shows a different pipeline: young, UK-based defendants tied to an English-speaking criminal community.

The BBC reported that Scattered Spider has been linked to other cyber-attacks on Jaguar Land Rover and retailers including Marks and Spencer. The supplied reports do not establish that Jubair and Flowers were involved in those incidents, so the TfL guilty pleas should not be stretched beyond the charges they admitted.

Jubair has also been accused by the US Department of Justice of involvement in cyber-attacks targeting 47 US organisations and generating more than $100m (£75m) in ransom payments, according to the Guardian. Those US allegations are separate from the guilty pleas at Woolwich crown court.

A previous hearing was told that $10m moved from Jubair’s crypto wallets after he was released from custody in March last year and that $200m worth of crypto had moved through accounts belonging to him. Another earlier hearing was told Flowers held $7.1m, including crypto, in accounts he controlled despite having no source of income.

Sentencing now becomes the test for a £39m public infrastructure hack

The next stage is sentencing on 15 July, when the court will weigh admitted offending against the scale of harm: £39m in costs, disruption to TfL systems, customer data exposure, and impact on refund and photocard services.

The supplied reports centre on the admitted Computer Misuse Act offences, the guilty pleas at Woolwich crown court, and the listed sentencing date. That leaves the case focused on the charges Jubair and Flowers admitted and the operational harm described by TfL and investigators.

Andy Lord, London’s Transport Commissioner, said TfL welcomed the guilty pleas.

“The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL,” Lord said.

XOOMAR analysis: the sentencing hearing will be watched for how the court treats cyber harm against public infrastructure when the defendants are young but the operational cost is large. The known facts give prosecutors a direct argument: this was not a contained data incident. It interrupted public-facing transport systems and imposed a stated £39m cost.

The practical watch items are narrower and more useful than broad alarm. Will investigators name or pursue more Scattered Spider-linked suspects? Will TfL provide further customer updates after the guilty pleas? And will the sentencing remarks give clearer guidance on how UK courts price disruption when a cyber-attack hits a service millions of people rely on every day?

Impact Analysis

• The breach disrupted TfL digital services used by millions of London travellers.
• TfL said the incident cost £39m, highlighting the financial impact of major cyber-attacks on public infrastructure.
• The guilty pleas put renewed focus on Scattered Spider and the threat posed by organised cyber-criminal groups.