Two British Hackers Plead Guilty to £39m Cyber-Attack on Transport for London

The Cyber-Attack on Transport for London

Two British cybercriminals, Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to offences under the Computer Misuse Act at Woolwich crown court on Monday. They were part of an online hacking community known as Scattered Spider, suspected of carrying out several attacks in recent years.

The Financial Impact of the Attack

The attack, which took place between 29 August and 3 September 2024, prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. The incident cost TfL £39m.

The Data Analysis

TfL said it had emailed more than 7 million customers in September 2024 “to inform them about the incident” and tell them that “some customer data may have been taken”. The BBC reported that 10 million TfL customers had their data stolen.

The Impact on TfL and Its Users

The attack had significant consequences for TfL and its users. TfL handles up to 5m passenger journeys a day on the underground alone. The attack also shut the application system for Oyster photocards for children and young people, leaving some customers out of pocket for much longer than usual.

The Future Outlook for Cybercrime

The National Crime Agency (NCA) said the TfL incident underlined the growing threat from homegrown and English-speaking hackers. Typically, hacks on high-profile public and private organisations have been carried out by Russian speaking hackers or assailants based in the former Soviet Union. The NCA said Flowers and Jubair were both “members of the online criminal collective known as Scattered Spider”, a moniker assigned by cybersecurity analysts.