Info Gov

Two British men have pleaded guilty to offences under the Computer Misuse Act in connection with the September 2024 cyberattack on Transport for London, which cost the public body £39 million and resulted in the personal data of an estimated 10 million customers being accessed.

Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall in the West Midlands, pleaded guilty at a hearing at Woolwich Crown Court. Both had been scheduled to stand trial on 22 June 2026 but changed their pleas on the first day of what was due to be a six-week trial.

Both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare. They pleaded guilty on the basis that they recklessly accessed the systems without intending to do so.

Flowers alone also admitted hacking two US healthcare companies: conspiring to commit unauthorised acts against systems belonging to SSM Health Care Corporation, and attempting to commit unauthorised acts against systems belonging to Sutter Health, on or about 6 September 2024.

The hackers infiltrated TfL's network between 31 August and 3 September 2024. At the time, TfL described the attack as "sophisticated" and "aggressive" and was forced to suspend functions including traffic cameras and Dial-a-Ride bookings.

Data from TfL's Oyster refunds system was accessed and the incident affected TfL's customer refund system, leaving some customers out of pocket for longer than usual. It also closed down the application system for Oyster photocards for children and young people. Following the compromise of its network, TfL required all 28,000 employees to attend an office in person to reset their passwords.

TfL said it had emailed more than 7 million customers to inform them about the incident and that some customer data may have been taken.

Flowers was first arrested on 12 September 2024 as part of the TfL investigation. Investigators uncovered evidence linking him to intrusions at SSM Health Care Corporation and Sutter Health. Jubair and Flowers were arrested at their home addresses on 16 September 2025 by officers from the National Crime Agency (NCA) and the City of London Police.

Officers seized several devices from Flowers' home, including laptops, desktop computers, hard drives and USB storage devices. One laptop contained a screenshot showing connectivity to TfL infrastructure, while another contained videos recorded by Flowers that showed Jubair accessing TfL systems during the attack. The evidence showed the pair communicating via Telegram and an online collaboration platform used to share access and information. Investigators also recovered evidence that Flowers had accessed a marketplace selling stolen credentials.

Flowers later breached his bail conditions on two occasions, while Jubair faced an additional charge for failing to disclose passwords or PINs for seized devices.

The NCA said both defendants were members of Scattered Spider, a loosely organised network of predominantly English-speaking cybercriminals linked to a series of high-profile intrusions targeting major US and European companies across sectors including aviation, insurance and retail. US prosecutors have previously alleged that the group extorted at least $115 million from victims over a three-year period.

The NCA's deputy director and head of its National Cyber Crime Unit, Paul Foster, described the case as a "lengthy, highly complex and painstaking investigation" and stated that "cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL's systems shows it has real-world consequences and impacts hugely on the public."

Foster praised TfL's early engagement with the NCA, which was a material factor in the successful prosecution, and the NCA has specifically highlighted this as a model for other organisations. He urged organisations that are victims of cyberattacks to engage with law enforcement early.

TfL's Transport Commissioner, Andy Lord, welcomed the guilty pleas, adding: "The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access."

Both defendants will be sentenced at a two-day hearing scheduled for 15 and 16 July 2026 and have been remanded in custody.

An investigation into the attack by the Greater London Authority Oversight Committee found that TfL and mant other parts of the public sector were extremely unprepared for cyber attacks with the biggest risk being created by legacy IT systems. Transitioning to modern security practices, it said,  requires “significant investment” and long term planning.

Also in this section

Jul 16, 2026

Scattered Spider pair jailed over TfL hack

Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Jul 15, 2026

Government introduces mandatory data breach reporting protocol

The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.
Jun 29, 2026

"Five eyes" warn on accelerating cyber security threat from AI

The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.
Jun 15, 2026

Government AI hackathons uncover 407 vulnerabilities across nine departments, including critical remote code execution flaw

A pilot programme using frontier AI models to scan public-sector code repositories has identified 407 security findings across nine government organisations, including a critical vulnerability that could have allowed an external attacker to execute arbitrary code on a key digital service, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC)…

InfoGov Masthead Newsletter 800