Two Britons plead guilty to £39m 2024 cyber-attack on Transport for London | Cybercrime
Two British cybercriminals linked to the Scattered Spider hacking group have pleaded guilty to a 2024 cyberattack that cost Transport for London £39 million and affected 10 million people.
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to offenses under the Computer Misuse Act at Woolwich crown court on Monday.
The National Crime Agency said last year it believed the attack was carried out by an online hacking collective known as Scattered Spider, which is suspected of carrying out a series of attacks in recent years.
TfL, the mayor of London’s transport authority, handles up to 5 million passenger journeys a day on the tube alone.
The organization said it emailed more than 7 million customers in September 2024 to “inform them of the incident” and to inform them that “some customer data may have been taken.” The BBC reported that the data of 10 million TfL customers was stolen.
The attack prevented live tube arrival details from appearing on the TfL Go app and TfL website, while TfL was also unable to process any payments on Oyster and contactless apps or register Oyster cards to customer accounts.
Jubair, of Bow, east London, and Flowers, of Walsall, West Midlands, both admitted conspiring to carry out unauthorized acts against computer systems belonging to TfL, causing a risk of serious harm to human welfare.
Flowers also admitted to single-handedly hacking two US healthcare companies. He admitted that on or about September 6, 2024, he conspired to commit unauthorized acts against computer systems owned by SSM Health Care Corporation and attempted to commit unauthorized acts against computer systems owned by Sutter Health.
The duo entered the guilty plea on the first day of the six-week trial. Judge Turner detained Jubair, who was wearing glasses, a gray suit, shirt and tie, and Flowers, who was wearing glasses, a blue sweater and gray sweatpants, before the two-day sentencing hearing on July 15.
Jubair is also accused by the US Department of Justice of participating in a series of cyberattacks that targeted 47 US organizations and collected ransom payments of more than $100 million (£75 million).
Flowers pleaded not guilty to two more separate hacking charges and was ordered to lie on the dossier.
Jubair denied that he had not identified himself after officers seized his devices on March 19 last year and it was decided that this charge would also be included in the file.
