Scattered Spider members jailed over Transport for London hack that cost £29 million

Scattered Spider members jailed over Transport for London hack that cost £29 million

Two members of the notorious “Scattered Spider” hacking collective have been sentenced to five years and six months in prison each for a cyberattack on Transport for London (TfL) that disrupted services for thousands of commuters and cost the transport authority an estimated £29 million.

Transport for London cyberattack

Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, pleaded guilty last month, on the day their trial was set to start. The National Crime Agency (NCA) and City of London Police charged them under Section 3ZA of the Computer Misuse Act (CMA).

“Section 3ZA of the CMA is the most serious section as it applies where the unauthorised act causes or creates a significant risk of serious damage, and the person intends or is reckless as to that damage,” the NCA said.

Jubair and Flowers gained unauthorized access to TfL’s systems between 31 August and 3 September 2024. TfL contained the incident, though the breach still affected 148 systems and required all 27,000 employees to reset their passwords in person.

The incident disrupted the Dial-a-Ride booking system for disabled and elderly passengers, concessionary travel cards, digital payments, the refund system, and the planned rollout of contactless ticketing. Applications for children’s discounted travel cards were also unavailable.

Investigators estimated that a complete outage of London’s transport network could have cost the UK economy up to £56 billion.

“This shocking case shows the very serious threat that cyber criminals pose to our security and prosperity – a key part of our capital’s infrastructure lost millions of pounds and ordinary paying customers suffered huge disruption,” noted Security Minister Dame Angela Eagle.

Investigation uncovered broader activity

Police arrested Flowers on 6 September 2024. Investigators said he was involved in attacks targeting two US healthcare organizations, SSM Health Care Corporation and Sutter Health, at the time of his arrest.

A search of his home uncovered laptops, hard drives, USB devices, and a video showing Jubair inside TfL’s systems. Investigators said the pair communicated through Telegram and used a shared online workspace during the attack.

Police arrested both men at their homes on 16 September 2024. Flowers was later arrested again for breaching bail conditions related to device use. Jubair also faced a separate charge after refusing to provide investigators with the PINs and passwords for seized devices.

“Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” said Paul Foster, Deputy Director and head of the NCA’s National Cyber Crime Unit.

Scattered Spider members are known for their social engineering skills (particularly vishing), and their tendency to bypass multi-factor authentication protections through SIM swapping, fake single sign-on (SSO) pages, and MFA prompt bombing (aka MFA fatigue).

They also have a penchant for targeting corporate IT help desk and support personnel via phone by impersonating employees and convincing the former to change account passwords, as well as impersonating support personnel to get employees to install remote monitoring and management (RMM) tools or logging into their accounts via phishing sites.

Leave a Reply