Two Britons plead guilty to £39m 2024 cyber-attack on Transport for London

22 Jun, 15:56. UK edition

a person boarding a London underground carriage — Transport for London handles up to 5m passenger journeys a day on the underground alone. The BBC has reported that 10 million TfL customers had their data stolen in the cyber-attack. Photograph: Andy Rain/EPA

Thalha Jubair and Owen Flowers, linked to the Scattered Spider hacking group, change pleas on first day of expected six-week trial

Two British cybercriminals linked to the Scattered Spider hacking group have pleaded guilty to a cyber-attack on Transport for London in 2024 that cost £39m and affected 10 million people.

Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to offences under the Computer Misuse Act at Woolwich crown court on Monday.

The National Crime Agency said last year it believed the attack was carried out by an online hacking community known as Scattered Spider, suspected of carrying out a series of attacks in recent years.

TfL, the London mayor’s transport authority, handles up to 5m passenger journeys a day on the underground alone.

The organisation said it emailed more than 7 million customers in September 2024 “to inform them about the incident” and tell them that “some customer data may have been taken”. The BBC has reported that 10 million TfL customers had their data stolen.

The attack prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts.

Jubair, of Bow, east London, and Flowers, of Walsall, West Midlands, both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare.

Flowers alone also admitted hacking two US healthcare companies. He admitted conspiring to commit unauthorised acts against computer systems belonging to SSM Health Care Corporation and attempting to commit unauthorised acts against computer systems belonging to Sutter Health, on or about 6 September 2024.

The pair entered their guilty pleas on the first day of what was due to be a six-week trial. Justice Turner remanded Jubair – wearing glasses in a grey suit, shirt and tie – and Flowers – wearing glasses in a blue sweater and grey tracksuit bottoms – in custody ahead of a two-day sentencing hearing on 15 July.

Jubair has also been accused by the US Department of Justice of involvement in a series of cyber-attacks that targeted 47 US organisations and garnered more than $100m (£75m) in ransom payments.

Flowers denied two further hacking charges and they were ordered to lie on file.

Jubair denied failing to disclose his after officers seized his devices on 19 March last year and that charge was also ordered to lie on file.