Two teenagers have been charged as part of a National Crime Agency investigation into a devastating cyber attack on Transport for London that caused significant disruption and millions of pounds in losses to the capital’s critical infrastructure.
Thalha Jubair, 19, from Tower Hamlets in east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested at their home addresses on Tuesday by officers from the NCA and City of London Police. Both appeared at Westminster Magistrates Court on Thursday afternoon to face charges under the Computer Misuse Act.
The Crown Prosecution Service authorised charges against the pair for conspiring together to commit unauthorised acts against TfL, causing or creating risk of serious damage to human welfare and national security. The attack, which occurred on 31 August 2024, is believed to have been carried out by members of the notorious cyber criminal collective known as Scattered Spider.
Major Infrastructure Attack Causes Widespread Disruption
The sophisticated cyber attack on TfL resulted in substantial operational disruption and financial losses exceeding £30 million to date. Whilst core transport services including the London Underground continued to operate, the incident forced TfL to shut down multiple IT systems and suspend various customer services for months.
According to TfL’s financial update to its board, the transport authority’s projected operating surplus has been slashed from £61 million to £23 million, largely due to the cyber incident’s impact. The organisation revealed it has spent £5 million on incident response, investigation, and remedial cyber security measures in the past three months alone.
Customer data was accessed during the breach, including names, contact details, email addresses, and home addresses for thousands of passengers. Approximately 5,000 customers’ Oyster card refund data, including bank account numbers and sort codes, was also compromised. TfL contacted affected customers directly in September 2024 as a precautionary measure.
The attack caused particular hardship for vulnerable London residents. Applications for new Zip cards for children aged 5-17, 60+ Oyster cards, and 18+ Student Oyster cards were suspended for months whilst security checks were conducted. This left hundreds of thousands of Londoners entitled to travel concessions facing overcharges and financial difficulties.
Additional Charges for US Healthcare Attacks
Flowers faces additional charges related to cyber attacks on American healthcare organisations. The NCA revealed he has been charged with conspiring to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health, both based in the United States.
Jubair has been separately charged under the Regulation of Investigatory Powers Act 2000 for failing to surrender PIN codes and passwords for devices seized by law enforcement on 19 March. This additional charge suggests authorities have been investigating the pair for several months prior to their arrests.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, described the charges as “a key step in what has been a lengthy and complex investigation.” He emphasised the severity of the attack, stating it “caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.
Rising Threat from English-Speaking Cyber Criminals
The arrests come amid growing concerns about the emergence of English-speaking cyber criminal groups operating from the UK and other Western countries. Foster noted that “earlier this year, the NCA warned of an increase in the threat from cyber criminals based in the UK and other English-speaking countries, of which Scattered Spider is a clear example.”
Scattered Spider represents a new breed of cyber criminal organisation, consisting largely of English-speaking young men, including many teenagers, from the UK and United States. The group is believed to have as many as 1,000 loosely affiliated members who collaborate on various criminal activities.
The collective is known for its sophisticated social engineering tactics, often impersonating employees or contractors to deceive IT help desks into granting access to corporate networks. Once inside, they deploy ransomware, steal data for extortion, and cause widespread disruption to operations.
Security experts note that Scattered Spider members are affiliated with a broader underground collective known as “The Com”, which has been linked to various crimes ranging from extortion and money laundering to violent acts and predatory behaviour involving minors. The group’s fluid structure and use of encrypted communications makes law enforcement efforts particularly challenging.
Previous Arrests and Ongoing Investigations
The charges against Jubair and Flowers follow a pattern of law enforcement action against suspected Scattered Spider members. In July 2024, a 17-year-old from Walsall was arrested in connection with the high-profile MGM Resorts ransomware attack in Las Vegas. Whilst Flowers matches that description and location, authorities have not officially confirmed any connection to the MGM case.
In November 2024, US authorities charged five alleged Scattered Spider members with stealing $11 million (approximately £8.7 million) worth of cryptocurrency from at least 29 victims, alongside theft of corporate documents from company systems. One British national, 22-year-old Tyler Buchanan, was arrested in Spain and faces extradition to the United States.
The group has been linked to numerous high-profile attacks, including breaches at Caesars Entertainment, Coinbase, Twilio, MailChimp, and Reddit. More recently, they targeted British retailers Marks & Spencer, Co-op, and Harrods in April 2025, causing combined losses estimated between £270 million and £440 million.
International Collaboration and Ongoing Investigation
The investigation into the TfL attack has involved extensive collaboration between the NCA, City of London Police, West Midlands Regional Organised Crime Unit, British Transport Police, and the FBI. Foster praised TfL for its “swift action” in reporting the cyber attack and its continued engagement with law enforcement throughout the investigation.
Hannah Von Dadelszen, chief crown prosecutor for the Crown Prosecution Service, confirmed that prosecutors “have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”
The NCA emphasised that investigations remain ongoing, with Foster stating: “The NCA, UK policing, and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice.”
Broader Implications for Critical Infrastructure
The TfL attack highlights the vulnerability of critical national infrastructure to cyber threats. An independent review has been commissioned to examine both the attack itself and TfL’s response, though publicly available information will remain limited whilst criminal proceedings are underway.
TfL’s chief technology officer, Shashi Verma, reported that the organisation has now restored most affected services, including processing over 30,000 Zip passes, 40,000 new student passes, and 13,000 pensioners’ passes since reopening applications. However, some customers continue to experience delays with refunds and other services.
The incident occurred just months after a major ransomware attack on NHS hospitals in London through pathology services provider Synnovis, attributed to Russian hacking group Qilin. That attack resulted in over 10,000 cancelled appointments and ongoing disruption to healthcare services.
As cyber criminals increasingly target essential services and infrastructure, the TfL case serves as a stark warning about the need for robust cyber security measures and rapid incident response capabilities. The financial and operational impacts demonstrate how cyber attacks can affect millions of citizens who rely on public services daily.
The teenagers’ court appearance marks a significant development in the fight against domestic cyber crime threats, though authorities acknowledge that dismantling groups like Scattered Spider remains an ongoing challenge due to their decentralised nature and international reach.
Follow for more updates on Britannia Daily
Image Credit:
Victoria Tube Station (2 February 2025) — photo by CAPTAIN RAJU, licensed CC0 1.0 (Public Domain Dedication).
