Decoding the world of cybersecurity

TfL cyber attackers plead guilty

Two men have pleaded guilty over the 2024 Transport for London cyberattack, creating a rare accountability moment after a major public transport incident.

TfL cyber attackers plead guilty
Summary
  • The NCA says Thalha Jubair and Owen Flowers admitted Computer Misuse Act offences linked to the TfL attack.
  • TfL faced operational disruption, large-scale password resets, customer-system impact, and reported loss and recovery costs of about £29 million.
  • The case connects cybercrime enforcement with transport resilience, identity recovery, and public-sector incident accountability.

Two men have pleaded guilty to offences linked to the 2024 cyberattack on Transport for London, creating a rare criminal-accountability milestone after a major UK public transport cyber incident.

The National Crime Agency said Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, admitted Computer Misuse Act offences after an investigation by the NCA and City of London Police. According to the NCA, TfL’s network was infiltrated between 31 August and 3 September 2024. The agency said all 28,000 TfL employees had to attend offices for password resets, data from the Oyster refunds system was accessed, and the incident contributed to around £29 million in loss and recovery costs.

The NCA said the two men were members of Scattered Spider, the loose online criminal collective associated with social engineering, credential theft, and high-impact intrusions against large organisations. They are due to be sentenced at Woolwich Crown Court on 16 July 2026.

The agency has published a case update on the convictions, setting out the investigation, guilty pleas, and known operational impact.

The TfL case remains one of the clearest UK examples of how a cyber incident can create consequences even when transport services continue to run. Public attention often settles on whether trains, buses, or payment systems stop immediately. The operational burden can be more complex: identity resets, customer notification, internal access restrictions, refund disruption, forensic investigation, system restoration, regulatory engagement, and public communication.

The forced password reset for TfL’s workforce is particularly instructive. Identity is now one of the main recovery battlegrounds after an intrusion. Once an attacker has gained access, an organisation may have to assume that credentials, session tokens, privileged accounts, or administrative pathways are no longer trustworthy. Resetting staff access at scale is disruptive, costly, and hard to execute cleanly in a distributed public-service environment.

The customer-system element adds another layer of exposure. Refund platforms and concessionary or photocard systems can hold personal data, travel-related records, and customer service histories. Even where payment systems or live transport operations are not directly compromised, ancillary systems can still create privacy, fraud, and trust risks.

The guilty pleas also show the enforcement challenge around modern cybercrime. Groups such as Scattered Spider do not always resemble traditional organised-crime hierarchies. They can include young, English-speaking actors using social engineering, online collaboration tools, credential markets, and shared tactics to target large organisations. Prevention therefore depends on technical controls, helpdesk procedures, employee verification, identity recovery, and rapid escalation to law enforcement.

The same conditions exist across many large organisations: complex legacy estates, extensive contractor access, large workforces, customer data platforms, and heavy reliance on digital identity. Attackers do not need to stop trains to create months of operational and financial drag.

Sentencing will provide the next formal milestone. The operational record is already clear enough: cyber incidents in public transport become governance events because recovery depends on people, process, identity, legal coordination, customer communication, and executive judgement as much as technical containment.

×