Two Men Plead Guilty to £39m Cyber Attack on Transport for London

Two British men have pleaded guilty to orchestrating a devastating cyber attack on Transport for London (TfL) in 2024, causing widespread disruption, compromising the data of millions of customers, and resulting in £39 million in losses. Thalha Jubair, 20, from Bow, east London, and Owen Flowers, 18, from Walsall, West Midlands, admitted to conspiring to commit unauthorised acts against TfL’s computer systems under the Computer Misuse Act. Their guilty pleas were entered on the first day of their scheduled six-week trial at Woolwich Crown Court on Monday.

The attack, which occurred between late August and early September 2024, was attributed by the National Crime Agency (NCA) to the notorious online criminal group Scattered Spider. The infiltration forced all 28,000 TfL employees to attend offices for password resets and shut down key online services, including live tube arrival information on the TfL Go app and the Oyster card registration and refund system. Customers were left unable to apply for Oyster photocards, and some faced significant delays in receiving refunds. TfL reported that data from up to 10 million customers may have been accessed, prompting the authority to contact over 7 million affected individuals.

NCA investigators revealed that the duo communicated via the encrypted messaging platform Telegram and an online collaborative workspace. Digital evidence recovered from Flowers’ home—including laptops, hard drives, and USB devices—contained screenshots showing connectivity to TfL’s infrastructure and videos recorded by Flowers that depicted Jubair accessing the systems during the attack. Flowers also admitted to attempting to hack healthcare companies in the United States, including Sutter Health and SSM Health Care Corporation.

Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, described the investigation as “lengthy, highly complex and painstaking.” He said, “Cyber crime may appear faceless and distant, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public.” Foster also noted that the case highlights the growing threat of cyber criminals based in English-speaking countries, epitomised by the Scattered Spider group, which has been linked to attacks on other major organisations.

Both men were arrested in September 2024 during a joint operation by the NCA and the City of London Police. Flowers had previously been granted bail but violated its conditions in March and May 2025. The pair have been remanded in custody and are due to be sentenced on 15 July. Transport Commissioner Andy Lord welcomed the guilty pleas, affirming that TfL remains committed to safeguarding its systems and customer data.