Two young men who mounted a cyber attack on Transport for London that cost the organisation £29 million and forced all 28,000 of its staff to reset their passwords in person have pleaded guilty on the first day of their trial at Woolwich Crown Court.
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were both members of the notorious online criminal collective known as Scattered Spider. They infiltrated TfL’s network between 31 August and 3 September 2024 in an attack that caused widespread disruption to one of the UK’s most critical pieces of public infrastructure.
The breach forced every one of TfL’s 28,000 employees to attend a TfL office in person to carry out a password reset. Data from TfL’s Oyster refunds system was accessed, the customer refund system was taken down, and the application system for Oyster photocards for children and young people was closed. Some customers were left out of pocket for far longer than usual as a result. Total losses and recovery costs for TfL are reported to have reached £29 million.
Flowers was first arrested on 6 September 2024, just days after the attack began, when NCA officers also identified evidence that he had infiltrated the networks of US healthcare companies SSM Health Care Corporation and Sutter Health. A search of his home uncovered multiple laptops, tower computers, hard drives and USB sticks. One Acer laptop contained a screenshot showing network connectivity to TfL infrastructure, along with videos Flowers had recorded showing Jubair actively accessing TfL’s systems during the attack. The pair had been communicating via Telegram and a shared online workspace throughout the operation. Flowers was bailed with strict conditions but breached them on two occasions in March and May 2025. Jubair was additionally charged with failing to disclose PIN codes and passwords for seized devices.
Both were due to stand trial today at Woolwich Crown Court but changed their pleas to guilty when proceedings opened. Sentencing will take place at the same court on 16 July.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public. The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers.” He praised TfL’s decision to engage with law enforcement early, saying the result “would not have been possible” without that cooperation, and urged other organisations to do the same. He also warned that “the profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider.”
City of London Police Deputy Commissioner Nik Adams said: “Those who target critical organisations, cause substantial financial harm, and disrupt the daily lives of the public will not do so without consequence. From the outset, we have worked tirelessly alongside the National Crime Agency on what has been a lengthy and highly complex investigation. Today’s outcome is the result of that close partnership, and it demonstrates the power of joint working between law enforcement agencies to pursue those who seek to undermine the systems that keep our country running.”
The investigation was supported by the West Midlands Regional Organised Crime Unit and British Transport Police. Victims of cybercrime are directed to use the Government’s Cyber Incident Signposting Site for guidance on reporting incidents to the appropriate agencies.
