Decoding the world of cybersecurity

TfL attackers jailed after £29m recovery

Two men have received five-and-a-half-year prison sentences for the Transport for London intrusion, which disabled 148 systems and forced password resets for 27,000 employees.

TfL attackers jailed after £29m recovery
Summary
  • Thalha Jubair and Owen Flowers were each sentenced to five years and six months.
  • The attack rendered 148 systems inoperable and required all 27,000 TfL employees to attend an office for password resets.
  • TfL reported £29 million in losses and recovery costs while several public-facing services depended on manual workarounds.

Two men have each been sentenced to five years and six months for the 2024 cyberattack on Transport for London, which disabled 148 systems and produced £29 million in reported losses and recovery costs.

Thalha Jubair and Owen Flowers were sentenced at Woolwich Crown Court after pleading guilty in June. The National Crime Agency described both as leading members of the online criminal collective commonly known as Scattered Spider.

The intrusion took place between 31 August and 3 September 2024. TfL kept the transport network operating, but supporting services including Dial-a-Ride bookings, concessionary travel-card provision, digital payments, customer refunds, and Oyster photocard applications were disrupted.

All 27,000 TfL employees were required to attend a company office to reset their passwords. Restoring identity became a physical workforce operation because normal remote processes could not be trusted while access to the environment was being rebuilt.

The National Crime Agency’s sentencing account says important systems required substantial manual workarounds and that service delays continued during recovery. Data from TfL’s Oyster refund system was accessed, although TfL has said it has found no evidence that customer information was misused.

The defendants were prosecuted under section 3ZA of the Computer Misuse Act, which applies where unauthorised activity causes or creates a significant risk of serious damage and the person intends, or is reckless as to, that outcome.

Identity recovery dictated the pace

The sentencing provides a firmer account of the financial and operational cost than was available when the defendants entered their pleas. The £29 million figure covers reported losses and recovery expenditure, rather than an attacker demand or an estimate of the theoretical value of the affected data.

Resetting every employee’s password demonstrates how quickly an identity incident can become a continuity problem. At that scale, authentication recovery affects staffing, office access, support capacity, payroll time, devices, and the order in which dependent applications can return.

Password replacement forms only part of restoring trust. Responders must also examine active sessions, tokens, privileged accounts, service identities, remote access, and applications that rely on compromised credentials. Where those relationships are poorly documented, recovery becomes slower and more disruptive.

TfL kept core transport services running while restricting parts of its digital environment, but the burden moved into manual processes and operational teams. Accessibility services, refunds, payment functions, and customer administration remained consequential even though trains, buses, and roads continued operating.

The incident therefore distinguishes between avoiding complete infrastructure shutdown and maintaining an effective public service. Supporting systems determine how customers interact with an operator and how its workforce manages exceptions, concessions, payments, and disruption.

Supporting platforms are part of transport resilience

Critical-infrastructure planning often concentrates on systems that control physical operations. TfL’s experience shows that identity services, employee platforms, customer portals, and payment channels can govern the quality and sustainability of operations even when transport continues moving.

Manual fallback arrangements need to be tested with the same care as technical recovery. An operator should know how many transactions can be processed manually, which customers are affected first, what information staff require, and how long the workaround remains safe and sustainable.

The guilty pleas and sentences also establish criminal responsibility for the TfL intrusion itself, reducing some of the uncertainty that surrounds attribution to loose online collectives. Labels such as Scattered Spider can describe overlapping participants and methods, while the court process identifies the defendants’ responsibility in this case.

Cyber Insider’s earlier coverage of the guilty pleas examined the intrusion and prosecution. The sentences, £29 million cost, and detailed account of recovery now provide a fuller record of the operational consequences.

Large organisations need identity-recovery plans that can operate across an entire workforce without improvisation. Data restoration alone will not return a service where authentication, support capacity, and application trust have not been rebuilt.

×