Transport for London is back on this blog, and this time the update is about the people accused of helping carry out the 2024 cyberattack rather than the breach itself.
Two alleged Scattered Spider members, Thalha Jubair and Owen Flowers, have pleaded guilty in the UK over the cyberattack that hit Transport for London in late August and early September 2024. The incident disrupted TfL digital services, interfered with Oyster and refund-related systems, and ultimately left the transit authority facing a recovery bill reported at about £39 million.
For anyone who has not followed the group closely, Scattered Spider is a loose, English-speaking cybercrime collective known for social engineering, credential theft, and access-focused attacks that can begin with help-desk manipulation or stolen credentials and quickly turn into much larger incidents. The group has been tied to a string of high-profile intrusions in both the UK and the United States.
Some of the attacks Scattered Spider has been linked to or associated with in public reporting include the 2023 intrusions at MGM Resorts and Caesars Entertainment, as well as the cyberattack on Transport for London.
If you’ve followed this story here before, you know the TfL attack has had multiple chapters. What began as a disruptive incident affecting a major public transportation system later grew into a much larger discussion about customer data exposure, operational fallout, and the continuing threat posed by groups like Scattered Spider. This latest development moves the story from breach coverage into accountability, with the criminal case now shifting toward sentencing.
According to current reporting, the defendants changed their pleas to guilty as proceedings got underway in Woolwich Crown Court. Coverage of the case says the attack took place between late August and early September 2024 and caused significant disruption to TfL systems and services.
What stands out to me is that this is another reminder that attacks on transportation and public-facing infrastructure do not stay confined to the IT department. When systems supporting fares, refunds, account access, and rider services are hit, the impact spills directly into the real world. People cannot access services the way they expect, staff are forced into manual workarounds, and the organization is left cleaning up both the technical damage and the public trust problem afterward.
It is also worth remembering that the TfL story did not end when the incident response began. Earlier reporting around this breach raised concerns about the scale of customer data exposure, and now the guilty pleas add another important marker in the timeline. The attack itself was the headline in 2024. Questions about customer data kept the story alive afterward. Now the legal consequences are becoming part of that record too.
I’ve covered both TfL and Scattered Spider here before, so if you want the earlier pieces and additional context, you can search the archive here:
For this update, I looked at the following reports:
- Two Scattered Spider members plead guilty over cyberattack that crippled London transit
- Two Scattered Spider hackers plead guilty over Transport for London cyberattack
- Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’
- Teen hackers plead guilty to $39M cyberattack that crippled London transit system
- Cybercriminals admit £39 million attack on TfL
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.