Two Scattered Spider Hackers Jailed for Transport for London Cyberattack
Two young members of the notorious Scattered Spider cybercrime group have been sentenced to over five years in prison for a 2024 attack that crippled 148 Transport for London (TfL) systems, forcing 27,000 staff to reset passwords and costing the organization approximately £29 million.

Two individuals, identified as Thalha Jubair, 20, and Owen Flowers, 18, have been handed significant prison sentences for their roles in a disruptive cyberattack against Transport for London (TfL). The duo, operating as members of the Scattered Spider cybercrime collective, pleaded guilty to charges under Section 3ZA of the Computer Misuse Act, the most severe offense, which pertains to unauthorized acts causing or risking serious damage. Their sentencing at Woolwich Crown Court on July 16, 2026, followed their guilty pleas on June 22, 2026, marking a major prosecution in the UK's fight against cybercrime.
The attack, which occurred between August 31 and September 3, 2024, saw Jubair and Flowers infiltrate TfL's network, leading to the compromise of 148 systems. While swift containment measures by TfL mitigated the worst potential outcomes, the incident still caused considerable disruption to public-facing services. Services affected included Dial-a-Ride, crucial for vulnerable Londoners, concessionary travel cards, digital payment systems, Oyster refunds, and the Oyster photocard application for children. The expansion of contactless ticketing was also delayed, and critical systems required manual workarounds.
Beyond service disruptions, the attackers also accessed data from the Oyster refunds system, leading to extended waiting times for affected customers. In a significant operational impact, all 27,000 TfL employees were compelled to reset their passwords in person, highlighting the depth of the network intrusion. The total financial impact on TfL was estimated to be around £29 million, with investigators warning that a complete shutdown of the transport network could have cost the UK economy up to £56 billion.
Jubair and Flowers were identified as leading members of Scattered Spider, a group notorious for its use of social engineering, SIM-swapping, and data extortion tactics. Their apprehension came after a joint investigation by the National Crime Agency (NCA) and the City of London Police. They were arrested at their respective homes on September 16, 2024. Evidence seized from Flowers' devices, including laptops and hard drives, contained a screenshot of connectivity to TfL infrastructure and videos of Jubair accessing TfL systems during the attack, corroborating their involvement.
Further investigations revealed that Flowers was also implicated in hacking US healthcare firms SSM Health and Sutter Health. He was later re-arrested for bail breaches related to the use of his devices, while Jubair faced charges for failing to provide device PINs and passwords. Microsoft's assessment indicated that these arrests significantly hampered Scattered Spider's operational capabilities, even if the group's brand might still be misused by others.
Paul Foster, Deputy Director of the NCA, described the case as the largest cybercrime prosecution ever brought before UK courts and emphasized the importance of organizations engaging law enforcement early. Commander Ollie Shaw of the City of London Police highlighted the potential of Cyber Crime Risk Orders as a tool for imposing digital restrictions on high-risk offenders. Security Minister Dame Angela Eagle and TfL Commissioner Andy Lord commended the investigation and underscored the necessity of enhanced cyber resilience across critical infrastructure.
The FBI Cyber Division has also noted Scattered Spider's persistent use of extortion and social engineering against critical services, indicating a continued threat from this group and similar actors. The successful prosecution serves as a stark reminder of the severe consequences of cyberattacks on public services and the sophisticated nature of modern cybercriminal operations.