Two men plead guilty over TfL cyber attack that hit 10 million customers

Two men admitted their role in a cyber attack that forced Transport for London to restrict access to parts of its network while keeping trains, buses and safety-critical systems running. The case exposed how a single intrusion can cascade through a major transit system, delaying refunds, journey histories and customer services for months and affecting about 10 million customers.

Thalha Jubair, 20, of Walsall in the West Midlands, and Owen Flowers, 18, pleaded guilty at Woolwich Crown Court to conspiring to commit unauthorised acts against TfL under the Computer Misuse Act. Flowers also admitted attempted hacking offences involving California-based Sutter Health and SSM Health Care Corporation, widening the case beyond London’s transport network to health-sector targets in the United States.

TfL first identified suspicious activity on Sunday 1 September 2024 after the intrusion the previous day. It said it took immediate action to secure its systems, limit access and preserve operations that were essential to running the network. The National Crime Agency said investigators believed the attack had been carried out by members of the online criminal collective Scattered Spider.

The disruption lasted far beyond the initial breach. TfL said the cyber incident caused three months of disruption, with contactless journey history and refunds not fully restored until 4 December 2024. The operator said certain customer data was accessed, including names and contact details for some customers, though it later said there was no evidence that the data had been misused. On 13 February 2025, the Information Commissioner’s Office said it would not take regulatory action and considered the matter closed.

The financial damage was substantial. TfL said the attack cost it £39 million, while the breach affected around 10 million customers. It also said thousands of customers were written to about the unauthorised access. Since 2 September 2024, its customer contact centre has recorded 36,936 cases relating to Oyster and contactless payment cards, and TfL estimated that around 96,000 contactless customers were unable to submit a webform during the incident.

Recovery continued after systems reopened. TfL said more than 85,000 photocards had been dispatched, including more than 33,000 Zip photocards, around 40,000 18+ Student photocards and more than 13,000 60+ London Oyster photocards. The episode showed that even when operators keep core transport services running, digital outages can still ripple through fares, refunds and identity systems for months, leaving public agencies to confront how exposed essential services remain to relatively small groups of attackers.