Two leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024.
TfL disclosed that its network was breached in August 2024, with the attack disrupting internal systems and online services, including TfL’s Dial-a-Ride service, concessionary travel cards, digital payments, and contactless ticketing rollout, as well as the public transportation agency’s ability to process refunds.
Additionally, 148 systems became inoperable across TfL’s network, and all 27,000 TfL employees had to reset their passwords in person after the breach.
While TfL reported £29 million in losses and recovery costs after the attack, officials estimated that the UK economy could have lost up to £56 billion had the threat actors succeeded in shutting down the transport network.
TfL revealed on September 12, 2024, that the attackers had also stolen customer data (including names, addresses, and contact details). Four days later, on September 16, officers from the City of London Police and the UK National Crime Agency (NCA) arrested 20-year-old Thalha Jubair and 18-year-old Owen Flowers at their homes.
Investigators said that Flowers was also in the process of hacking U.S. healthcare companies Sutter Health and SSM Health Care Corporation, and that, at the time of his arrest, devices seized from him included evidence of the TfL intrusion.
Both pleaded guilty last month under the Computer Misuse Act and were sentenced today to five years and six months in prison each.
NCA Deputy Director Paul Foster described Scattered Spider as “the most significant cybercrime threat to the UK in recent years,” and he credited TfL’s early cooperation with law enforcement for enabling the convictions.
“These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances,” Foster said. “We will continue working with partners in the UK and overseas to identify offenders and bring them to justice.”
The U.S. Department of Justice also charged Jubair in September 2025 with conspiracy to commit computer fraud, money laundering, and wire fraud in connection with at least 120 network breaches between May 2022 and September 2025.
According to court documents, these attacks affected dozens of U.S. organizations, including critical infrastructure entities and U.S. courts, with Jubair and his accomplices extorting over $115 million from victims worldwide between August 2024 and July 2025.
In July 2025, the NCA arrested four other suspected Scattered Spider members believed to be linked to a wave of cyberattacks against major UK retailers, including Harrods, Marks & Spencer, and Co-op.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
UK charges suspects linked to Russian Coms call spoofing platform
Scattered Spider members plead guilty to hacking Transport for London
Nottingham University data breach affects over 450,000 students
EU sanctions Russian GRU military hackers over cyberattacks
Alleged Scattered Spider hacker extradited to the United States
Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
Microsoft: Some Dell PCs shut down after recent Windows updates
Windows 11 KB5101650 & KB5099414 cumulative updates released
#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
AI is a data-breach time bomb: Read the new report
AI broke vulnerability management. Get the guide CISOs use to shift budget to BAS.
Pentest your web apps on-demand. Find what humans miss. Scope and launch a pentest in minutes.
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



