All 27,000 Transport for London employees had to reset their passwords in person after a 2024 breach that disabled 148 systems and took core services offline, TfL disclosed — a disruption that has now culminated in prison sentences for two alleged members of the Scattered Spider collective.
Sentences handed down to Thalha Jubair and Owen Flowers
Two leading members of the Scattered Spider cybercrime collective were each sentenced today to five years and six months in prison after pleading guilty under the Computer Misuse Act last month. The pair — 20-year-old Thalha Jubair and 18-year-old Owen Flowers — were arrested at their homes on September 16, 2024, by officers from the City of London Police and the UK National Crime Agency (NCA).
Scope of the TfL intrusion and operational impact
TfL disclosed that its network was breached in August 2024. The agency reported disruptions to internal systems and online services including Dial-a-Ride, concessionary travel cards, digital payments, the contactless ticketing rollout, and the ability to process refunds. TfL said 148 systems became inoperable, and all employees were required to reset passwords in person after the breach.
TfL reported £29 million in losses and recovery costs following the attack; officials additionally estimated the UK economy could have lost up to £56 billion had the threat actors succeeded in shutting down the transport network. On September 12, 2024, TfL revealed attackers had stolen customer data, including names, addresses, and contact details.
How investigations connected Flowers and Jubair to other attacks
Investigators said devices seized from Owen Flowers at the time of his arrest included evidence of the TfL intrusion. Authorities also said Flowers was in the process of hacking U.S. healthcare companies Sutter Health and SSM Health Care Corporation when he was arrested.
The NCA and the City of London Police led the arrests in the UK. In July 2025 the NCA arrested four other suspected Scattered Spider members believed to be linked to a wave of cyberattacks against major UK retailers, including Harrods, Marks & Spencer, and Co-op.
U.S. charges and the wider tally of alleged Scattered Spider activity
The U.S. Department of Justice charged Jubair in September 2025 with conspiracy to commit computer fraud, money laundering, and wire fraud in connection with at least 120 network breaches between May 2022 and September 2025. According to court documents cited by investigators, those attacks affected dozens of U.S. organizations, including critical infrastructure entities and U.S. courts. The court filings say Jubair and accomplices extorted over $115 million from victims worldwide between August 2024 and July 2025.
What this means for security teams, TfL employees, and policymakers
- Security teams: The convictions and the investigative detail that devices seized from an arrested suspect contained evidence of the intrusion underscore the forensic value of early seizure and analysis. The NCA credited TfL's early cooperation with law enforcement for enabling the convictions and urged other organisations to do the same.
- TfL employees and the public: The breach led to forced, in-person password resets for all 27,000 employees and the compromise of customer names, addresses, and contact details — concrete impacts that will shape internal remediation and customer-notification processes.
- Policymakers and regulators: Officials' public estimate that a successful shutdown of the transport network could have cost the UK economy up to £56 billion highlights the systemic risk dimension regulators must weigh when assessing critical‑infrastructure cybersecurity and incident response expectations.
NCA Deputy Director Paul Foster described Scattered Spider as "the most significant cybercrime threat to the UK in recent years" and said, "These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances." He added, "We will continue working with partners in the UK and overseas to identify offenders and bring them to justice."
The case ties a high-impact, service-disrupting intrusion to named alleged perpetrators and to a broader pattern of transnational abuse documented in U.S. court filings — and it leaves two clear, connected threads open: continuing cross‑border investigations into other suspected members arrested in 2025, and the wider effort to mitigate systemic risk to transport services that government and industry officials quantified in stark financial terms.




