Two members of the Scattered Spider cybercrime group have been sentenced to five and a half years in prison for carrying out the 2024 cyberattack against Transport for London (TfL), an intrusion that disrupted services, exposed customer data, and resulted in an estimated £29 million ($39 million) in recovery costs. Thalha Jubair, 20, and Owen Flowers, 18, were sentenced at Woolwich Crown Court after previously pleading guilty to offenses under the UK’s Computer Misuse Act.
According to prosecutors, the pair compromised TfL’s systems between August 31 and September 3, 2024, using social engineering techniques to gain access to the organization’s internal network. Investigators said the hackers obtained extensive privileges within the environment, allowing them to access sensitive systems before TfL shut down parts of its infrastructure to stop the attack.
The breach disrupted several digital services used by London’s public transport network. Customers experienced problems with Oyster card services, online accounts, and Dial-a-Ride bookings, while thousands of employees were forced to reset their credentials. Authorities also confirmed that personal information belonging to thousands of customers was compromised during the incident.
Evidence presented in court showed that Jubair livestreamed portions of the attack while Flowers watched remotely, with recordings later recovered by investigators. Prosecutors said the two hackers spent long hours carrying out the intrusion from their family homes and could have caused even greater disruption had TfL not disconnected affected systems from its network.
Flowers also admitted to separate cyberattacks targeting U.S. healthcare organizations SSM Health and Sutter Health. Prosecutors said investigators recovered additional evidence linking him to those intrusions, including recordings and data found on seized electronic devices.
The National Crime Agency described the case as one of the most complex cybercrime investigations conducted in the UK. Officials said the prosecution demonstrates that individuals involved in high-profile cyberattacks can be identified and brought before the courts, even when operating as part of loosely organized hacking groups such as Scattered Spider.
