Back to Feed
BreachesJul 16, 2026

Scattered Spider members behind TfL hack get five years in prison

Two Scattered Spider members sentenced to 5.5 years for hacking Transport for London in 2024.

Summary

Thalha Jubair (20) and Owen Flowers (18), leading members of the Scattered Spider cybercrime collective, were sentenced to five years and six months in prison each for breaching Transport for London in August 2024. The attack disrupted services including contactless ticketing, Dial-a-Ride, and digital payments, affecting 8.4 million Londoners and causing £29 million in losses; the broader UK economy faced potential £56 billion damage. The U.S. Department of Justice separately charged Jubair with conspiracy related to at least 120 network breaches affecting critical infrastructure and U.S. courts, with the group extorting over $115 million between August 2024 and July 2025.

Full text

Scattered Spider members behind TfL hack get five years in prison By Sergiu Gatlan July 16, 2026 08:31 AM 0 Two leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024. On September 2, 2024, TfL (which provides transportation services to more than 8.4 million Londoners) disclosed that its network was breached in August 2024, with the attack disrupting internal systems and online services. Affected services and platforms included TfL's Dial-a-Ride service, concessionary travel cards, digital payments, and contactless ticketing rollout, as well as the public transportation agency's ability to process refunds. Additionally, 148 systems became inoperable across TfL's network, and all 27,000 TfL employees had to reset their passwords in person after the breach. While TfL reported £29 million in losses and recovery costs after the attack, officials estimated that the UK economy could have lost up to £56 billion had the threat actors succeeded in shutting down the transport network. TfL revealed on September 12, 2024, that the attackers had also stolen customer data (including names, addresses, and contact details). Four days later, on September 16, officers from the City of London Police and the UK National Crime Agency (NCA) arrested 20-year-old Thalha Jubair and 18-year-old Owen Flowers at their homes. Investigators said that Flowers was also in the process of hacking U.S. healthcare companies Sutter Health and SSM Health Care Corporation, and that, at the time of his arrest, devices seized from him included evidence of the TfL intrusion. Both pleaded guilty last month under the Computer Misuse Act and were sentenced today to five years and six months in prison each. Owen Flowers and Thalha Jubair (NCA) NCA Deputy Director Paul Foster described Scattered Spider as "the most significant cybercrime threat to the UK in recent years," and he credited TfL's early cooperation with law enforcement for enabling the convictions. "These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances," Foster said. "We will continue working with partners in the UK and overseas to identify offenders and bring them to justice." The U.S. Department of Justice also charged Jubair in September 2025 with conspiracy to commit computer fraud, money laundering, and wire fraud in connection with at least 120 network breaches between May 2022 and September 2025. According to court documents, these attacks affected dozens of U.S. organizations, including critical infrastructure entities and U.S. courts, with Jubair and his accomplices extorting over $115 million from victims worldwide between August 2024 and July 2025. In July 2025, the NCA arrested four other suspected Scattered Spider members believed to be linked to a wave of cyberattacks against major UK retailers, including Harrods, Marks & Spencer, and Co-op. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: UK charges suspects linked to Russian Coms call spoofing platformScattered Spider members plead guilty to hacking Transport for LondonNottingham University data breach affects over 450,000 studentsEU sanctions Russian GRU military hackers over cyberattacksAlleged Scattered Spider hacker extradited to the United States

Entities

Scattered Spider (threat_actor)Thalha Jubair (threat_actor)Owen Flowers (threat_actor)Transport for London (TfL) (product)Sutter Health (vendor)SSM Health Care Corporation (vendor)