What happened
Two members of the Scattered Spider cybercrime group pleaded guilty to hacking Transport for London systems in 2024.
Thalha Jubair, 20, and Owen Flowers, 18, breached the systems of London’s transportation service between August 31 and September 3, 2024. The attack caused operational disruption, exposed customer data, and resulted in millions of pounds in losses.
Transport for London suffered a cybersecurity incident on September 2, 2024, causing disruptions that continued for days. The attackers accessed data from TfL’s Oyster refunds system and disrupted customer refund services, delaying refunds for some users.
On September 12, TfL confirmed that customer data had been stolen in the attack. The UK’s National Crime Agency also announced the arrest of Flowers, who was a suspect at the time.
Jubair and Flowers had previously denied involvement in the incident but changed their pleas to guilty on the first day of proceedings at Woolwich Crown Court.
According to the National Crime Agency, the attack forced all 28,000 TfL employees to visit local offices to reset their passwords and caused £29 million in financial damage to the public transportation organization.
Investigators seized multiple devices from Flowers’ home, including a laptop containing a screenshot showing connectivity to TfL infrastructure, evidence of access to a marketplace selling stolen credentials, and videos showing Jubair breaching TfL systems.
The attackers communicated through Telegram and a shared online collaboration platform during the intrusion. Authorities also linked Flowers to intrusions at SSM Health Care Corporation and Sutter Health, both U.S. healthcare organizations.
The two Scattered Spider members were scheduled to stand trial on June 22, but sentencing was rescheduled for July 16 after they changed their pleas to guilty.
Who is affected
Transport for London was directly affected by the attack, along with its employees and customers.
The incident disrupted TfL operations, delayed customer refund services, and forced 28,000 employees to reset their passwords in person. Customers whose data was accessed or stolen through the Oyster refunds system may also have been affected.
The broader public transportation sector is also affected by the case because TfL is a major public body responsible for much of London’s transportation network. The incident shows how cyberattacks on transportation operators can create operational, financial, customer service, and public trust consequences.
Why CISOs should care
This case shows how cybercrime groups can cause major disruption to critical public services without necessarily relying on ransomware encryption. The TfL attack affected customer services, employee access, data security, and organizational operations over multiple days.
For CISOs, the scale of the password reset effort is especially important. Requiring 28,000 employees to reset passwords in person demonstrates how identity recovery can become a major operational burden after a cyberattack.
The evidence described by investigators also reinforces the role of stolen credentials and attacker collaboration platforms in modern intrusions. Devices seized from Flowers allegedly contained evidence of access to a stolen credential marketplace, while the attackers used Telegram and a shared online collaboration platform during the breach.
The case also highlights the value of early law enforcement engagement. The National Crime Agency said the result would not have been possible if TfL had not engaged with law enforcement early.
3 practical actions
- Prepare large-scale identity recovery procedures: The TfL attack forced all 28,000 employees to reset passwords at local offices. CISOs should test whether they can reset credentials, revoke sessions, rotate access, and restore employee authentication quickly during a major incident.
- Monitor for credential marketplace exposure and suspicious access: Investigators found evidence of access to a marketplace selling stolen credentials. Security teams should monitor for exposed employee credentials, unusual login activity, credential stuffing, and access attempts from unfamiliar infrastructure.
- Engage law enforcement early during major intrusions: The National Crime Agency emphasized that TfL’s early engagement with law enforcement helped enable the outcome. Organizations should define escalation paths for notifying law enforcement when attacks involve critical services, stolen data, or suspected organized cybercrime groups.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.