"Cybercrime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public," said Paul Foster, deputy director and head of the National Crime Agency’s National Cyber Crime Unit.
The TfL breach: scope, timing and public impact
Between 31 August and 3 September 2024, two British youngsters who were then teenagers infiltrated Transport for London (TfL), according to the National Crime Agency (NCA). The attackers — Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands — have pleaded guilty to the offences. The NCA says the incident cost TfL £29m ($38m) in loss and recovery costs and disrupted multiple public-facing services.
Specifically, the NCA reported the intrusion affected TfL’s customer refund system, knocked out the application system for Oyster photocards for children and young people, and required all 28,000 employees to attend a TfL office for a password reset.
Evidence recovered: a laptop, a video and messaging logs
Flowers was arrested on 6 September 2024. Officers seized an Acer laptop that, the NCA says, contained a screenshot showing network connectivity to TfL infrastructure and evidence that he had accessed a site selling breached credentials. Also on the device was a video recorded by Flowers that apparently showed Jubair accessing TfL systems, and material the agency says demonstrates the pair messaging each other over Telegram and another tool during their activity.
Wider allegations and alleged extortion activity
Although both men pleaded guilty at Woolwich Crown Court on 22 June and are due to be sentenced on 16 July, unsealed charges from September 2025 suggest the case may extend far beyond the single TfL incident.
The NCA’s unsealed allegations assert that Jubair participated in at least 120 computer network intrusions and extortion operations involving 47 US entities, with victims allegedly paying $115m or more in ransom payments to Jubair and his associates. The NCA also links Flowers to evidence of involvement in breaches of US healthcare companies SSM Health Care Corporation and Sutter Health.
The NCA investigation and the Scattered Spider connection
Deputy director Paul Foster described the inquiry as “lengthy, highly complex and painstaking,” and credited the “perseverance and meticulousness of our officers, and the work of our partner organisations” for securing guilty pleas. Foster warned of the “increasing threat” from homegrown cybercriminals and identified the pair as members of the Scattered Spider collective.
The loose, English-speaking collective has been tied by the NCA to major extortion incidents at MGM Resorts International, Snowflake and, more recently, Marks & Spencer and Co-op Group.
What this means for TfL employees and London customers; SSM Health Care and Sutter Health; security teams and investigators
- TfL employees and London customers: The password reset for all 28,000 staff and the downtime to refund and Oyster photocard systems show operational and customer-facing consequences that directly affected commuters and families applying for child and youth Oyster cards.
- SSM Health Care Corporation and Sutter Health: Evidence linking Flowers to breaches of these US healthcare providers places the healthcare organisations named in the NCA material among the alleged victims connected to the pair’s activities.
- Security teams and cyber investigators: The seizure of an Acer laptop containing screenshots, a video, and logs of messaging across Telegram and other tools illustrates the kinds of digital artefacts investigators used to tie actors to intrusion activity and to secure guilty pleas in a complex, cross-border investigation.
Both men pleaded guilty on 22 June and will be sentenced on 16 July. The NCA’s account ties a disruptive, costly attack on a major public transport operator to a wider pattern of alleged intrusions and extortion that the agency says generated substantial ransom payments. The record assembled by investigators—screenshots, device-stored video and messaging data—provided the factual foundation for the prosecutions; the coming sentencing will be the judicial milestone that follows.
