2 hours ago
10
Two British cybercriminals from the Scattered Spider hacking group have pleaded guilty to a cyber-attack on Transport for London in 2024 that cost £39m and affected 10 million people.
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to offences under the Computer Misuse Act at Woolwich crown court on Monday.
The National Crime Agency (NCA) said last year it believed the attack was carried out by an online hacking community known as Scattered Spider, suspected of carrying out a series of attacks in recent years. TfL, the London mayor’s transport authority, handles up to 5m passenger journeys a day on the underground alone.
The organisation said it emailed more than 7 million customers in September 2024 “to inform them about the incident” and tell them that “some customer data may have been taken”. The BBC has reported that 10 million TfL customers had their data stolen.
The attack prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts.
Prosecutors said the cyber-attack resulted in a £39m loss for TfL as well as a “loss of livelihood” for people dependent on TfL licences, Westminster magistrates court previously heard.
Jubair, of Bow, east London, and Flowers, of Walsall, West Midlands, both admitted conspiring to commit unauthorised acts against computer systems belonging to TfL, causing risk of serious damage to human welfare.
Flowers alone also admitted hacking two US healthcare companies. He admitted conspiring to commit unauthorised acts against computer systems belonging to SSM Health Care Corporation and attempting to commit unauthorised acts against computer systems belonging to Sutter Health, on or about 6 September 2024.
The pair entered their guilty pleas on the first day of what was due to be a six-week trial. Mr Justice Turner remanded Jubair – wearing glasses in a grey suit, shirt and tie – and Flowers – wearing glasses in a blue sweater and grey tracksuit bottoms – in custody before a two-day sentencing hearing on 15 July.
Jubair has also been accused by the US Department of Justice of involvement in a series of cyber-attacks that targeted 47 US organisations and garnered more than $100m (£75m) in ransom payments.
Flowers denied two further hacking charges and they were ordered to lie on file.
Paul Foster, the head of the NCA’s national cyber crime unit, said the TfL incident underlined the growing threat from homegrown and English-speaking hackers. Typically, crippling hacks on high-profile public and private organisations have been carried out by Russian speaking hackers or assailants based in the former Soviet Union.
“The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cybercriminals based in the UK and other English-speaking countries, epitomised by Scattered Spider,” he said.
The NCA said the hackers had accessed TfL’s refunds system leaving some customers out of pocket for much longer than usual. The attack also shut the application system for Oyster photocards for children and young people.
Foster added that the damage showed cybercrime has “real-world consequences and impacts hugely on the public” despite appearing to be “faceless and distant” compared with other crimes.
Investigators found a number of devices at Flowers’ West Midlands home including laptops, hard drives and USB sticks. One laptop contained a screen shot showing network connectivity to TfL infrastructure.
The laptop also contained a number of videos that Flowers had recorded, showing Jubair accessing TfL systems during the attack. The pair were using the Telegram messaging platform to communicate with each other and also communicated through an online tool where multiple participants can work together remotely.
