Two Hackers Jailed for Hacking 148 TfL Systems, Forcing 27,000 Staff Password Resets
Key Takeaways Two individuals associated with the Scattered Spider group were sentenced for a cyberattack on Transport for London (TfL). The breach in August-September 2024 disrupted 148 TfL systems,...
Key Takeaways
- Two individuals associated with the Scattered Spider group were sentenced for a cyberattack on Transport for London (TfL).
- The breach in August-September 2024 disrupted 148 TfL systems, forced 27,000 staff password resets, and cost approximately £29 million.
- Services for vulnerable citizens and public transport operations experienced significant disruptions and delays.
- Investigators highlight the potential for far greater economic damage if the attack had not been contained.
Hackers Behind Major TfL Cyberattack Sentenced to Prison
Two key members of the notorious cybercrime collective Scattered Spider have received significant prison sentences for their involvement in a 2024 attack that severely crippled Transport for London (TfL) systems. The extensive breach impacted 148 critical systems, necessitated a mandatory in-person password reset for all 27,000 TfL employees, and incurred an estimated £29 million in damages for the public transport operator.
Table Of Content
Guilty Pleas and Sentencing
On June 22, 2026, Thalha Jubair and Owen Flowers admitted guilt to charges related to the cyberattack on Transport for London, an incident that led to considerable operational disturbances. Jubair, 20, residing in East London, and Flowers, 18, from Walsall, were each handed a sentence of five years and six months at Woolwich Crown Court on July 16, 2026. Both individuals pleaded guilty under Section 3ZA of the Computer Misuse Act, which addresses unauthorized actions causing or risking severe harm, marking it as the most serious offense under the Act.
Impact of the Cyber Infiltration
Between August 31 and September 3, 2024, the duo successfully penetrated TfL’s digital infrastructure. While rapid containment efforts prevented the most catastrophic outcomes, several public-facing services were nonetheless affected. Disruptions included essential services like Dial-a-Ride for vulnerable Londoners, the processing of concessionary travel cards, digital payment functionalities, Oyster card refunds, and the application process for children’s Oyster photocards. Furthermore, the planned expansion of contactless ticketing systems faced delays.
The aftermath of the attack required all 27,000 TfL personnel to physically visit an office location to reset their passwords. Critical operational systems had to rely on manual workarounds, and customer data from the Oyster refunds system was accessed, leading to extended wait times for some individuals awaiting their money. Following the incident, TfL promptly reported the cyberattack to the City of London Police’s Report Fraud service.
Investigators emphasized the severe potential consequences, noting that a complete shutdown of London’s transport network could have inflicted an economic cost of up to £56 billion on the UK economy.
The Scattered Spider Connection and Investigation
Jubair and Flowers were identified as prominent figures within Scattered Spider, a cybercrime group notorious for its sophisticated use of social engineering, SIM-swapping, and data extortion tactics. The National Crime Agency (NCA) and City of London Police collaborated to identify the perpetrators following the TfL breach, leading to their arrests at their respective homes on September 16, 2024.
Evidence recovered from Flowers’ residence, including laptops, desktop towers, hard drives, and USB drives, contained a screenshot demonstrating connectivity to TfL’s infrastructure and video recordings of Jubair actively accessing TfL systems during the attack. The two communicated via Telegram and utilized a shared remote workspace for their illicit activities. Further investigation revealed Flowers’ involvement in hacking US healthcare providers SSM Health and Sutter Health. He was subsequently re-arrested for violating bail conditions related to device usage, while Jubair faced charges for failing to provide device PINs and passwords.
Microsoft’s analysis indicated that the arrests significantly impaired Scattered Spider’s operational capabilities, despite the possibility of other actors continuing to misuse the group’s branding.
Paul Foster, Deputy Director at the NCA, hailed the prosecution as the largest cybercrime case ever brought before UK courts, urging organizations to engage law enforcement authorities at an early stage. Commander Ollie Shaw of the City of London Police highlighted the proposed Cyber Crime Risk Orders as a potential tool for imposing restrictions on high-risk offenders’ device and technology use, effectively creating a form of “digital prison.”
Security Minister Dame Angela Eagle and TfL Commissioner Andy Lord commended the investigative efforts and underscored the critical need for enhanced cyber resilience across all sectors. The FBI Cyber Division noted Scattered Spider’s consistent reliance on extortion and social engineering against vital services.
What You Should Do
- Implement strong, unique passwords for all accounts and enforce multi-factor authentication (MFA).
- Conduct regular cybersecurity awareness training for all staff, focusing on social engineering tactics like phishing and pretexting.
- Ensure robust incident response plans are in place and regularly tested to minimize the impact of potential breaches.
- Maintain up-to-date security patches and configurations for all systems and network devices.
- Regularly back up critical data and verify the integrity of these backups.
- Establish clear communication channels with law enforcement and cybersecurity agencies for early engagement in case of an attack.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.