VYPR
breachPublished Jul 16, 2026· 6 sources

Scattered Spider Members Jailed for Transport for London Cyberattack

Two key members of the notorious Scattered Spider cybercrime group have been sentenced to over five years in prison for their role in the 2024 Transport for London (TfL) hack.

Two prominent figures within the Scattered Spider cybercrime collective, Thalha Jubair and Owen Flowers, have each received a prison sentence of five years and six months for their involvement in the August 2024 cyberattack on Transport for London (TfL).

The attack, disclosed by TfL on September 2, 2024, significantly disrupted internal systems and public-facing services. Among the affected platforms were TfL's Dial-a-Ride service, concessionary travel cards, digital payment systems, and the rollout of contactless ticketing. The breach also rendered 148 internal systems inoperable and necessitated a mandatory in-person password reset for all 27,000 TfL employees.

While TfL reported financial losses amounting to £29 million for recovery and operational impacts, the potential economic damage to the UK was estimated to be as high as £56 billion had the attackers successfully crippled the entire transport network. Further compounding the breach, TfL revealed on September 12, 2024, that customer data, including names, addresses, and contact details, had been exfiltrated by the threat actors.

Law enforcement agencies, including the City of London Police and the UK National Crime Agency (NCA), made swift arrests on September 16, apprehending 20-year-old Thalha Jubair and 18-year-old Owen Flowers at their respective residences. Investigators also uncovered evidence linking Flowers to ongoing hacking attempts against U.S. healthcare providers Sutter Health and SSM Health Care Corporation.

Both Jubair and Flowers pleaded guilty to charges under the Computer Misuse Act. The NCA highlighted the critical role of TfL's early engagement with law enforcement in securing these convictions. NCA Deputy Director Paul Foster emphasized Scattered Spider as "the most significant cybercrime threat to the UK in recent years" and urged other organizations to follow TfL's example in reporting incidents promptly.

In parallel, the U.S. Department of Justice had previously charged Jubair in September 2025 with multiple offenses, including conspiracy to commit computer fraud, money laundering, and wire fraud. These charges stemmed from a broader investigation into at least 120 network breaches between May 2022 and September 2025, which affected numerous U.S. organizations, including critical infrastructure entities and government courts.

Court documents revealed that Jubair and his associates extorted over $115 million from victims globally between August 2024 and July 2025. This sentencing follows a series of arrests in July 2025, where the NCA apprehended four other individuals suspected of being part of Scattered Spider, linked to attacks on major UK retailers such as Harrods, Marks & Spencer, and Co-op, underscoring the group's widespread and persistent criminal activities.

This sentencing concludes what British authorities described as the largest cybercrime prosecution ever brought before a U.K. court, highlighting the significant financial and operational impact of the attack. The prosecution was only the second ever brought under the U.K.'s most serious Computer Misuse Act offense, underscoring the severity of the charges against the two young hackers.

The sentencing of Owen Flowers and Thalha Jubair, both aged 18 and 20 respectively, to five and a half years imprisonment each for their roles in the 2024 cyber-attack against Transport for London (TfL) has been detailed. Judge Justice Turner cited "selfish bravado" as a key motivator for the attack, alongside acknowledging the defendants' youth and neurodiversity as mitigating factors. The attack, which cost TfL an estimated £29m in losses and recovery, involved social engineering and a two-factor authentication reset to gain access to internal and customer-facing systems, impacting services like the Oyster refund system and Dial-a-Ride buses.

The UK's National Crime Agency (NCA) announced the sentencing of Thalha Jubair, 20, and Owen Flowers, 18, to five years and six months in prison each. This prosecution is described as the largest cybercrime case ever brought before UK courts, stemming from the 2024 attack on Transport for London (TfL) which cost £29 million. The NCA asserts that these arrests have effectively halted Scattered Spider's criminal operations, a claim supported by Microsoft's assessment of the group's degraded capabilities.

The sentencing of Owen Flowers and Thalha Jubair, both aged 18 and 20 respectively, marks the largest cybercrime prosecution in UK history. While the pair pleaded guilty on the basis of recklessness, their actions were deemed serious enough to warrant a conviction under Section 3ZA of the Computer Misuse Act 1990, a provision reserved for the most severe offenses. The National Crime Agency highlighted that Transport for London's early engagement with law enforcement was crucial to the investigation's success.

The sentencing of Thalha Jubair and Owen Flowers, both 20 and 18 respectively, marks a significant disruption to the Scattered Spider collective's operations. The pair pleaded guilty to charges under Section 3ZA of the Computer Misuse Act, which addresses unauthorized access causing significant damage. Their conviction stems from a cyberattack between August 31 and September 3, 2024, which impacted 148 TfL systems and necessitated password resets for all 27,000 employees.

Synthesized by Vypr AI