2 min read

TfL hackers get 5.5 years over Scattered Spider attack

Two Scattered Spider members were sentenced to 5 years and 6 months for the 2024 TfL hack that disrupted 148 systems and cost £29 million.

Image: BleepingComputer

Two leading members of the Scattered Spider cybercrime group have each been sentenced to five years and six months in prison for the 2024 hack of Transport for London.

TfL said the breach, disclosed in August 2024, disrupted internal systems and online services, including Dial-a-Ride, concessionary travel cards, digital payments, the rollout of contactless ticketing, and the agency’s ability to process refunds. The fallout spread widely across the network: 148 systems became inoperable, and all 27,000 TfL employees had to reset their passwords in person.

TfL reported £29 million in losses and recovery costs. Officials also estimated the damage to the wider UK economy could have reached £56 billion if the attackers had managed to shut down the transport network.

TfL said on September 12, 2024 that the attackers also stole customer data, including names, addresses, and contact details. On September 16, officers from the City of London Police and the UK National Crime Agency arrested Thalha Jubair, 20, and Owen Flowers, 18, at their homes.

Investigators said Flowers was also in the process of hacking U.S. healthcare companies Sutter Health and SSM Health Care Corporation, and devices seized during his arrest included evidence tied to the TfL intrusion. Both men pleaded guilty last month under the Computer Misuse Act.

Recommended reading

Student patents shock suit for police use

Owen Flowers and Thalha Jubair
Owen Flowers and Thalha Jubair

According to the NCA, Scattered Spider is a major cybercrime threat in the UK. Deputy Director Paul Foster said TfL’s early engagement with law enforcement was critical.

“These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances.”

Paul Foster, NCA Deputy Director

Foster added that investigators will keep working with UK and international partners to identify and prosecute those involved.

The case is still widening. In September 2025, the U.S. Department of Justice charged Jubair with conspiracy to commit computer fraud, money laundering, and wire fraud tied to at least 120 network breaches between May 2022 and September 2025. Court documents say those attacks hit dozens of U.S. organizations, including critical infrastructure entities and U.S. courts, and that Jubair and his accomplices extorted more than $115 million from victims worldwide between August 2024 and July 2025.

In July 2025, the NCA also arrested four other suspected Scattered Spider members linked to a separate wave of cyberattacks on major UK retailers including Harrods, Marks & Spencer, and Co-op.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading