Two British men have pleaded guilty to offences under the Computer Misuse Act in connection with the September 2024 cyberattack on Transport for London, which cost the public body £39 million and resulted in the personal data of an estimated 10 million customers being accessed.
Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall in the West Midlands, pleaded guilty at a hearing at Woolwich Crown Court. Both had been scheduled to stand trial on 22 June 2026 but changed their pleas on the first day of what was due to be a six-week trial.
Both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare. They pleaded guilty on the basis that they recklessly accessed the systems without intending to do so.
Flowers alone also admitted hacking two US healthcare companies: conspiring to commit unauthorised acts against systems belonging to SSM Health Care Corporation, and attempting to commit unauthorised acts against systems belonging to Sutter Health, on or about 6 September 2024.
The hackers infiltrated TfL's network between 31 August and 3 September 2024. At the time, TfL described the attack as "sophisticated" and "aggressive" and was forced to suspend functions including traffic cameras and Dial-a-Ride bookings.
Data from TfL's Oyster refunds system was accessed and the incident affected TfL's customer refund system, leaving some customers out of pocket for longer than usual. It also closed down the application system for Oyster photocards for children and young people. Following the compromise of its network, TfL required all 28,000 employees to attend an office in person to reset their passwords.
TfL said it had emailed more than 7 million customers to inform them about the incident and that some customer data may have been taken.
Flowers was first arrested on 12 September 2024 as part of the TfL investigation. Investigators uncovered evidence linking him to intrusions at SSM Health Care Corporation and Sutter Health. Jubair and Flowers were arrested at their home addresses on 16 September 2025 by officers from the National Crime Agency (NCA) and the City of London Police.
Officers seized several devices from Flowers' home, including laptops, desktop computers, hard drives and USB storage devices. One laptop contained a screenshot showing connectivity to TfL infrastructure, while another contained videos recorded by Flowers that showed Jubair accessing TfL systems during the attack. The evidence showed the pair communicating via Telegram and an online collaboration platform used to share access and information. Investigators also recovered evidence that Flowers had accessed a marketplace selling stolen credentials.
Flowers later breached his bail conditions on two occasions, while Jubair faced an additional charge for failing to disclose passwords or PINs for seized devices.
The NCA said both defendants were members of Scattered Spider, a loosely organised network of predominantly English-speaking cybercriminals linked to a series of high-profile intrusions targeting major US and European companies across sectors including aviation, insurance and retail. US prosecutors have previously alleged that the group extorted at least $115 million from victims over a three-year period.
The NCA's deputy director and head of its National Cyber Crime Unit, Paul Foster, described the case as a "lengthy, highly complex and painstaking investigation" and stated that "cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL's systems shows it has real-world consequences and impacts hugely on the public."
Foster praised TfL's early engagement with the NCA, which was a material factor in the successful prosecution, and the NCA has specifically highlighted this as a model for other organisations. He urged organisations that are victims of cyberattacks to engage with law enforcement early.
TfL's Transport Commissioner, Andy Lord, welcomed the guilty pleas, adding: "The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access."
Both defendants will be sentenced at a two-day hearing scheduled for 15 and 16 July 2026 and have been remanded in custody.
An investigation into the attack by the Greater London Authority Oversight Committee found that TfL and mant other parts of the public sector were extremely unprepared for cyber attacks with the biggest risk being created by legacy IT systems. Transitioning to modern security practices, it said, requires “significant investment” and long term planning.

