Skip to content
Quick exit
  • Cymraeg
  • Reporting SARs
  • CSEA Reporting for Industry
NCA Logo
Protecting the public from serious and organised crime
  • Who we are
    • Our mission
    • Our people
    • Our leadership
    • Governance and transparency
    • Inclusion, diversity and equality
    • Publications
  • What we do
    • What we investigate
    • Border vulnerabilities
    • Bribery, corruption and sanctions evasion
    • Cybercrime
    • Child sexual abuse and exploitation
    • Drug trafficking
    • Illegal firearms
    • Fraud
    • Kidnap and extortion
    • Missing persons
    • Modern slavery and human trafficking
    • Money laundering and illicit finance
    • Organised immigration crime
    • Operation Stovewood: Rotherham child sexual abuse investigation
    • How we work
    • Intelligence: enhancing the picture of serious organised crime affecting the UK
    • Investigating and disrupting the highest risk serious and organised criminals
    • Providing specialist capabilities for law enforcement
    • Supporting victims and survivors
    • National Strategic Assessment for Serious and Organised Crime
    • Underworld: Behind the scenes of the NCA Podcast
  • News
    • All news
  • Careers
    • How to join the NCA
    • Applying and onboarding
    • Current vacancies
    • A day in the life
    • Benefits and support
  • Most Wanted
  • Contact us
    • Officer verification
    • Return of seized property
    • Provide information on serious and organised crime
    • Whistleblowing
    • Complaints
    • Media enquiries
    • Suspicious Activity Reports (SARs)
  2. Home >
  3. News >
  4. Cyber criminals who hacked into Transport for London's computer network are convicted

Share this page:

Share this page:

News

Cyber criminals who hacked into Transport for London's computer network are convicted

  • Cybercrime

Two young men have admitted mounting a cyber attack on Transport for London (TfL), which cost tens of millions of pounds in losses and inconvenienced thousands of customers.

The National Crime Agency and City of London Police investigated Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, after TfL’s network was infiltrated between 31 August and 3 September 2024.

Jubair and Flowers, who were arrested at their home addresses on 16 September last year by the NCA and COLP, were both members of the online criminal collective known as Scattered Spider.

The pair compromised TfL’s network, forcing all 28,000 employees to attend a TfL office for a password reset. The organisation suffered a reported £29 million in loss and recovery costs.

Data from TfL’s Oyster refunds system was accessed and the incident also affected TfL’s customer refund system, leaving some out of pocket for much longer than usual. It also closed down the application system for Oyster photocards for children and young people.

Flowers was initially arrested for the TfL attack on 6 September 2024, at which point NCA officers identified further evidence that the networks of US healthcare companies SSM Health Care Corporation and Sutter Health had been infiltrated and damaged.

Investigators found a number of devices at his home including laptops, tower computers, hard drives and USB sticks.

One Acer laptop contained a screen shot of showing network connectivity to TfL infrastructure.

Flowers had also accessed an online tool selling breached credentials.

The laptop also contained a number of videos that Flowers had recorded, showing Jubair accessing TfL systems during the attack. The pair were messaging each other over Telegram at the same time and also communicated via an online tool where multiple participants can work remotely on a common workspace.

Flowers was bailed with strict conditions, which he breached on two occasions in March 2025 and May 2025.

Jubair was also charged for failing to disclose the pin or passwords for devices seized from him.

Both individuals were due to stand trial at Woolwich Crown Court today (22 June) but changed their pleas to guilty on the first day of proceedings.

They are due to be sentenced at the same court on 16 July.

Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said:

“This has been a lengthy, highly complex and painstaking investigation.

“The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending.

“Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL’s systems shows it has real-world consequences and impacts hugely on the public.

“The attack caused millions of pounds in losses to a key part of the UK’s critical national infrastructure, and was a significant inconvenience for customers.

“Today’s result would not have been possible if TfL had not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances.

“The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider.

“This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”

Deputy Commissioner Nik Adams, of the City of London Police said:

“The cyber attack on Transport for London had a significant and far-reaching impact, causing major disruption and affecting the day-to-day operations of essential public services. Those who target critical organisations, cause substantial financial harm, and disrupt the daily lives of the public will not do so without consequence.

“As the national lead force for fraud and economic crime, we have been absolutely clear in our message: we will work around the clock with our partners and stakeholders to ensure the UK remains a hostile environment for cyber criminals.

“From the outset, we have worked tirelessly alongside the National Crime Agency on what has been a lengthy and highly complex investigation. Today’s outcome is the result of that close partnership, and it demonstrates the power of joint working between law enforcement agencies to pursue those who seek to undermine the systems that keep our country running.”

The NCA and COLP investigation was supported by the West Midlands Regional Organised Crime Unit and British Transport Police.

Victims of cybercrime should use the Government’s Cyber Incident Signposting Site for direction on which agencies to report an incident to.

The Cyber Choices programme helps people make informed choices to use their cyber skills in a legal way. Visit www.cyberchoices.uk

22 June 2026

Latest from twitter

Visit the NCA timeline on Twitter

Share this page:

TOP ˄
Verify an officer using our online reporting tool.
Click CEOP logo: Advice, Help, Report

  • Who we are

  • Our mission

  • What we do

  • How we investigate
  • How we work

  • News

  • Most wanted

  • Careers

  • A day in the life
  • Current vacancies

  • Contact us

  • Missing persons
  • Operation Stovewood
  • Suspicious activity reports
  • Verify an NCA officer
  • Complaints

Follow us

  • Sitemap
  • Privacy and Cookie Policy
  • Terms and Conditions
  • Publications
  • Accessibility statement
© Crown Copyright
© Crown Copyright