Pair Admit Role in Cyber Attack That Cost TfL £39m and Disrupted Millions of Journeys

Two men have admitted carrying out offences linked to a major cyber attack on Transport for London that caused widespread disruption, exposed customer data and left the transport authority facing costs of around £39 million.

Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall, changed their pleas to guilty at Woolwich Crown Court on Monday, avoiding what was expected to be a six-week trial.

The pair admitted conspiring to carry out unauthorised activity against TfL's computer systems in breach of the Computer Misuse Act.

The cyber attack began in August 2024 and triggered months of disruption across TfL's digital services. Investigators believe around 10 million customers were affected by the security breach, making it one of the most significant cyber incidents to impact a UK transport organisation.

The attack forced several online services offline and disrupted key customer systems. Passengers experienced difficulties accessing account information, refund requests were delayed and applications for concessionary Oyster photocard schemes were temporarily suspended.

Thousands of customers were later informed that some of their personal information may have been accessed during the incident.

National Crime Agency investigators said the attack was linked to the cybercrime group known as Scattered Spider, a collective associated with a number of high-profile attacks against major organisations in the UK and overseas.

Evidence gathered during the investigation included digital material recovered from devices seized during arrests carried out in September 2024.

According to investigators, a laptop recovered from Flowers' home contained evidence showing access to TfL infrastructure, while videos discovered on devices appeared to show activity within TfL systems during the breach. The pair were also found to have communicated through encrypted messaging platforms and online collaboration tools.

Flowers additionally admitted offences relating to attempted intrusions into the systems of two healthcare organisations in the United States, California-based Sutter Health and SSM Healthcare Corporation.

The National Crime Agency described the case as a complex investigation involving extensive digital forensic work and collaboration with law enforcement partners.

Deputy Director Paul Foster said cybercrime often appears remote but can have significant real-world consequences, particularly when critical infrastructure is targeted.

He noted that the attack caused substantial financial losses and disrupted services relied upon by millions of passengers across the capital.

London's Transport Commissioner Andy Lord welcomed the guilty pleas and said protecting customer information and the security of TfL systems remains a top priority.

He said the organisation continues to monitor its networks closely and has strengthened measures designed to prevent unauthorised access.

The two men are due to be sentenced on 15 July.

The case serves as another reminder of the growing threat posed by organised cybercrime groups and the increasing importance of protecting critical transport infrastructure from digital attacks.