• 2 min read
TfL hack brings 5.5-year prison terms for Scattered Spider duo
Two Scattered Spider members were jailed for 5 years and 6 months over the 2024 TfL hack that caused £29 million in losses and disrupted 148 systems.

Image: BleepingComputer
Two leading members of the Scattered Spider cybercrime collective have each been sentenced to five years and six months in prison for the 2024 hack of Transport for London.
TfL, which provides transport services to more than 8.4 million Londoners, disclosed on September 2, 2024 that its network had been breached the previous month. The attack disrupted internal systems and online services, including Dial-a-Ride, concessionary travel cards, digital payments, the rollout of contactless ticketing, and TfL’s ability to process refunds. TfL also said 148 systems were knocked offline, while all 27,000 employees had to reset their passwords in person.
TfL later reported £29 million in losses and recovery costs. Officials also estimated the damage to the wider UK economy could have reached £56 billion if the attackers had managed to shut down the transport network.

Recommended reading
One in six PCs still run Windows 10
On September 12, 2024, TfL said the attackers had stolen customer data, including names, addresses, and contact details. Four days later, officers from the City of London Police and the UK National Crime Agency arrested Thalha Jubair, 20, and Owen Flowers, 18, at their homes. Investigators said Flowers was also in the process of hacking U.S. healthcare companies Sutter Health and SSM Health Care Corporation, and devices seized from him contained evidence tied to the TfL breach. Both men pleaded guilty last month under the Computer Misuse Act.
NCA Deputy Director Paul Foster called Scattered Spider “the most significant cybercrime threat to the UK in recent years” and said TfL’s early cooperation with investigators was key to securing the convictions.
“These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances.”
The case extends beyond the UK. The U.S. Department of Justice charged Jubair in September 2025 with conspiracy to commit computer fraud, money laundering, and wire fraud tied to at least 120 network breaches between May 2022 and September 2025. Court documents say the attacks hit dozens of U.S. organizations, including critical infrastructure entities and U.S. courts, and that Jubair and accomplices extorted more than $115 million from victims worldwide between August 2024 and July 2025.
In July 2025, the NCA also arrested four other suspected Scattered Spider members linked to a wave of attacks on major UK retailers including Harrods, Marks & Spencer, and Co-op.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


