Two Britons plead guilty to £39m 2024 cyber-attack on Transport for London

Two British cybercriminals linked to the Scattered Spider hacking group have pleaded guilty to a cyber-attack on Transport for London in 2024 that cost £39m and affected 10 million people. Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to offences under the Computer Misuse Act at Woolwich crown court on Monday. The National Crime Agency said last year it believed the attack was carried out by an online hacking community known as Scattered Spider, suspected of carrying out a series of attacks in recent years. TfL, the London mayor’s transport authority, handles up to 5m passenger journeys a day on the underground alone. The organisation said it emailed more than 7 million customers in September 2024 “to inform them about the incident” and tell them that “some customer data may have been taken”. The BBC has reported that 10 million TfL customers had their data stolen. The attack prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. Jubair, of Bow, east London, and Flowers, of Walsall, West Midlands, both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare. Flowers alone also admitted hacking two US healthcare companies. …