Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Thalha Jubair, 20, of Bow in east London, and Owen Flowers, 19, of Walsall in the West Midlands, had pleaded guilty in June to offences under the Computer Misuse Act 1990. Both were teenagers, Jubair 18 and Flowers 17, when they broke into TfL's network between 31 August and 3 September 2024. Flowers was also sentenced for intrusions into two US healthcare providers, SSM Health Care and Sutter Health.
Paul Foster, head of the National Crime Agency's National Cyber Crime Unit, which led the investigation with City of London Police, said that the prosecution had significantly degraded Scattered Spider's operations.
The court heard the intrusion turned on social engineering rather than a technical exploit, following a pattern characteristic of the group:
- An unnamed co-conspirator telephoned the TfL help desk posing as an employee unable to access the network remotely.
- The call handler was persuaded to reset the account's authentication to a device the attackers controlled, giving them a foothold.
- Jubair and Flowers escalated their privileges until they reached the highest level of access and created a domain administrator account, described in court as the "keys to the kingdom".
- They routed activity through remote servers to disguise its origin, built virtual machines inside TfL's systems to destroy evidence, and planted multiple back doors to retain access.
- They downloaded millions of lines of data and searched the customer database for the records of celebrities.
Prosecutors said the pair reached a position from which they could have shut out and closed down TfL entirely, and that the attack ended only when TfL took its own systems offline. The intrusion knocked out live Tube arrival information on the TfL website and the TfL Go app, prevented Oyster and contactless payment processing, and closed the online application system for children's and young people's Oyster photocards. Refunds were delayed, and more than 27,000 TfL staff were required to attend an office in person to reset their passwords.
The court was told data on about 7 million people was taken; TfL confirmed in March 2026 that the personal data of around 10 million people had been compromised, including names, contact details and home addresses, with the bank account numbers and sort codes of some 5,000 Oyster refund customers also accessed.
TfL notified the Information Commissioner's Office on 12 September 2024, in line with the 72-hour breach-reporting duty under Article 33 of the UK GDPR. The regulator examined the incident, including TfL's notification of affected individuals under Article 34, and concluded that "formal regulatory action was not proportionate", while requiring TfL to come back to it if new information changed the risk assessment. That decision drew scrutiny after it emerged that TfL had emailed just over 7.1 million account holders, of whom 58 per cent opened the message, while others affected had no email on file and were not directly notified.
Jubair had already been convicted of 22 offences as a teenager, including fraud, unauthorised computer access and blackmail, and separately faces charges in the United States over Scattered Spider activity. Scattered Spider, a loose network of mainly English-speaking hackers, has been linked to intrusions at MGM Resorts, Marks & Spencer, the Co-op Group and Jaguar Land Rover.
TfL's account of the incident and its response remains at https://tfl.gov.uk/campaign/cyber-security-incident.

