Two Britons plead guilty to 2024 TFL personal data breach

Two British cybercriminals belonging to the Scattered Spider hacking group, twenty-year-old Thalha Jubair and eighteen-year-old Owen Flowers, have pleaded guilty to offences under the Computer Misuse Act (CMA) at Woolwich Crown Court. Their guilty pleas are in connection with a 2024 cyberattack on Transport for London (TfL) that cost £39 million and resulted in the theft of the personal data of 10 million customers.

The cyberattack disrupted live tube arrival information on TfL's website and app and also impacted payment processing on its Oyster and contactless platforms. Both individuals admitted to conspiring to commit unauthorised acts that posed a risk of serious damage to human welfare. Flowers also confessed to hacking two US healthcare companies. Furthermore, the US Department of Justice (DoJ) has accused Jubair of separate cyberattacks against forty-seven organisations.

The National Crime Agency (NCA) highlighted that the case underscores an escalating threat from homegrown, English-speaking hackers, in contrast to historical trends of attacks originating from Russian-speaking territories. The defendants have been remanded in custody until sentencing on 15 July.

Training Announcement: The BCS Foundation Certificate in Information Security Management Principles (CISMP) is an entry-level programme aligned with ISO/IEC 27001 and Cyber Essentials that examines the fundamental concepts, technologies and principles of information security management. It provides attendees with practical knowledge of key concepts and techniques in risk management, security operations, and technical, physical, and environmental security. In addition, CISMP addresses legal and regulatory requirements, business continuity and disaster recovery planning, and emerging technologies. Find out more.