Teenagers charged in major TFL cyberattack that cost London millions

Two British teenagers have been charged with orchestrating a significant cyberattack against Transport for London, a breach that inflicted losses exceeding £39 million on the capital’s transport authority. The defendants, Thalha Jubair, 19, from east London, and Owen Flowers, 18, from Walsall, are alleged to have played leading roles in the hack which unfolded on 31 August 2024.

The incident, linked to the notorious Scattered Spider group, exposed the personal data of around 5,000 customers. Key information, including names, home addresses, contact information, bank account numbers, and sort codes associated with Oyster travel cards, was compromised. While core transport services continued, passengers found themselves unable to access Oyster card services online, platforms like Citymapper went dark, and Dial-a-Ride support for disabled passengers was briefly suspended. All 27,000 Transport for London staff were required to recertify credentials and change passwords at headquarters, imposing considerable administrative costs on the network.

Scattered Spider, described by cybersecurity analysts as an agile collective of English-speaking hackers, is known for its sophisticated social engineering tactics. Members manipulate targets via means such as phishing and SIM swapping, successfully tricking IT support personnel into resetting account credentials. Law enforcement links the group to a rising trend of cybercrime in the UK, warning that English-speaking gangs can more deftly exploit organisational vulnerabilities compared with their Russian-based counterparts.

Owen Flowers faces additional charges related to breaches in US healthcare networks, specifically SSM Health and Sutter Health. The SSM hack alone led to a compromise of medical records and insurance data for some 2.8 million patients, resulting in a US $6.5 million settlement to affected individuals. A breach at Sutter Health exposed personal records of hundreds of thousands more.

Charges under the Computer Misuse Act are severe, with possible sentences stretching up to life imprisonment when public welfare or national security is endangered. Officials from the National Crime Agency hailed the operation as a major step in ongoing efforts to combat cyberthreats targeting critical UK infrastructure. International partnerships, particularly with US law enforcement, continue to play a pivotal role in tracking bulk data theft and bringing offenders before the courts.

This episode highlights persistent vulnerabilities within vital public networks and the escalating expertise of cybercriminals operating from within Britain’s borders. As digital services remain entwined with daily commuter life, the financial and reputational stakes for public entities have never been higher.