Key facts
- Thalha Jubair, 20, and Owen Flowers, 18, admitted to a cyber attack on Transport for London (TfL).
- The attack occurred between August 31 and September 3, 2024.
- The incident resulted in an estimated £39 million loss for TfL.
- The cybercriminals accessed data from TfL's Oyster refunds and customer refund systems.
- Both individuals were members of the online criminal group Scattered Spider.
- They changed their pleas to guilty on June 22, 2025, and are scheduled for sentencing on July 16, 2025.
Two young men, Thalha Jubair, 20, and Owen Flowers, 18, have admitted to carrying out a significant cyber attack on Transport for London (TfL) between August 31 and September 3, 2024. The attack, which cost TfL an estimated £39 million in losses and recovery, forced a network-wide password reset for all 28,000 employees and disrupted customer systems, including the Oyster refunds and application systems.
Jubair and Flowers, identified as members of the online criminal group Scattered Spider, were arrested on September 16, 2024, following an investigation by the National Crime Agency (NCA) and City of London Police. Evidence found on Flowers' devices included screenshots of TfL network connectivity and videos appearing to show Jubair accessing TfL systems during the attack. Flowers was also linked to separate infiltrations of US healthcare companies SSM Health Care Corporation and Sutter Health.
The pair were due to stand trial but changed their pleas to guilty on June 22, 2025. They are scheduled to be sentenced at Woolwich Crown Court on July 16, 2025. Officials from the NCA and City of London Police emphasized the real-world consequences of cyber crime and the importance of early engagement with law enforcement by targeted organizations.