Mastodon Mastodon Mastodon Mastodon

Five-Year Sentences for TfL Cyberattack Linked to Scattered Spider

Photo of author

CyberSecureFox Editorial Team

Published:

On 16 July 2026, Woolwich Crown Court sentenced Owen Flowers (18) and Talha Jubair (20) to five and a half years’ imprisonment each for hacking Transport for London (TfL) systems in September 2024. The attack disabled 148 systems of the transport operator, which handles around 9 million journeys a day, and led to a leak of passengers’ personal data. According to the Crown Prosecution Service (CPS) and the National Crime Agency (NCA), the damage and recovery costs totalled £29 million. The case has become, in the CPS’s assessment, the first successful conviction under section 3ZA of the Computer Misuse Act 1990 — the most serious offence under that Act.

Timeline of the attack and scale of damage

The intrusion lasted from 31 August to 3 September 2024. Over four days, the attackers disrupted the operation of critical London transport services:

  • Dial-a-Ride — a service for transporting mobility-impaired Londoners — was taken offline;
  • The digital channel for fare payment and the issuing of concessionary travel cards stopped working;
  • Acceptance of applications for children’s and youth Oyster photocard passes was halted;
  • The rollout of contactless payments was postponed, and refund processing slowed significantly.

As TfL informed passengers, the attackers gained access to customers’ names, email addresses and, in some cases, home addresses. For roughly 5,000 people, TfL estimates that data relating to Oyster card refunds may have been compromised, including bank account numbers and sort codes.

The impact on internal infrastructure was no less serious: all 27,000 TfL employees had to come into the office in person to reset their passwords. The NCA calls this the largest criminal prosecution for a cybercrime in the history of the British courts, although the methodology for that comparison is not disclosed.

Evidence and arrest

Flowers was arrested at home on 6 September 2024 — three days after the TfL intrusion ended. According to the NCA, at the time of his arrest he was in the process of attacking two US healthcare organisations — SSM Health Care Corporation and Sutter Health. Laptops, desktop computers, hard drives and USB sticks were seized during the search. One of the laptops contained a screenshot showing a connection to TfL’s infrastructure, as well as video recordings in which Flowers documented Jubair’s actions inside the transport operator’s systems.

The pair coordinated their actions via Telegram and a shared online workspace. Prosecutors proved that Flowers was connected to the remote server used to launch all three intrusions. Evidence of Jubair’s involvement in the TfL attack was obtained overseas with the assistance of foreign prosecutors.

Flowers admitted two additional charges: conspiracy to attack SSM Health and attempted attack on Sutter Health. According to the CPS, in his correspondence he threatened to lock hospital systems, while acknowledging that this “could kill some 90-year-old on a life-support machine”. It was his arrest that stopped this attack.

Legal precedent: section 3ZA

Both defendants pleaded guilty on 22 June 2026 — the day the trial was due to begin. They were charged under section 3ZA of the Computer Misuse Act — the most serious offence under that Act. The defendants admitted that they had acted with reckless disregard as to whether they were creating a significant risk of serious harm to people’s wellbeing.

It is worth noting a discrepancy in how the two agencies describe this: the CPS states that this is the first successful conviction under this section, whereas the NCA calls the case only the second prosecution of its kind. Both statements could be true at the same time — one counting cases brought, the other counting those ending in conviction — but neither agency explains the difference.

The NCA estimates the hypothetical loss from a complete shutdown of the TfL network at up to £56 billion for the UK economy. That figure remained hypothetical: TfL itself disconnected its network to contain the threat, which, according to the CPS, prevented a catastrophic scenario. The methodology for calculating the £56 billion is not disclosed.

Link to Scattered Spider and an open case in the US

The NCA describes both convicted men as leading members of the Scattered Spider group (also tracked as Octo Tempest, UNC3944 and 0ktapus). The CPS is more cautious: the defendants at various times claimed membership in a group which, in prosecutors’ view, carried out hundreds of attacks between 2022 and 2025. The FBI, quoted in the NCA’s statement, links the group to data extortion, SIM-swapping and social engineering.

For Jubair, the case is far from over. A complaint unsealed in New Jersey in September 2025 charges him with conspiracy to commit computer fraud, fraud using means of communication and money laundering. According to US prosecutors, the scheme spanned around 120 network intrusions and at least 47 victims in the United States between May 2022 and September 2025, with total ransom payments exceeding $115 million. He is also accused of taking part in intrusions into the systems of a US critical infrastructure company and the US judicial system, as well as moving about $8.4 million in cryptocurrency from a server wallet at the moment agents were seizing it. The maximum penalty under all US charges is 95 years. None of the published documents touches on the question of extradition.

Defensive lessons: social engineering remains the main vector

Neither the NCA nor the CPS have disclosed exactly how Flowers and Jubair initially gained access to TfL. However, the context provided by Mandiant’s research on ShinyHunters’ expansion points to the typical toolkit of such groups: voice phishing (vishing) calls to employees, fake credential-harvesting pages styled to match the victim’s brand, interception of SSO logins and multi-factor authentication codes, followed by registering the attacker’s own device to pass MFA.

The Google hardening guide boils its key recommendation down to a single principle: verify identity for password resets, device registration and MFA-setting changes — precisely those manual procedures through which these groups penetrate systems using social engineering.

The NCA also emphasises that these sentences would likely not have been possible had TfL not contacted law enforcement at an early stage of the incident. In parallel, the City of London Police used the sentencing as an opportunity to promote the idea of “cyber risk orders” — court-imposed restrictions on the use of devices and online services by convicted offenders, which Commander Ollie Shaw described as a “digital prison”. The police do not yet have such powers.

The TfL case illustrates two practical truths. First: organisations operating critical infrastructure must build strict identity verification into all credential-management procedures — password resets, device registration, MFA changes — because it is precisely these “manual” entry points that groups at the Scattered Spider level exploit. Second: contacting law enforcement early upon detecting an intrusion not only helps to contain the damage, but also, as this case shows, creates the evidentiary basis to hold attackers accountable — up to and including arresting them in the act of carrying out their next attack.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.