Cybercriminals admit £39 million attack on TfL

Cybercriminals have admitted carrying out the Transport for London (TfL) attack that cost the organisation £39 million, the National Crime Agency (NCA) said. Thalha Jubair, 20, and Owen Flowers, 18, targeted TfL’s network between 29 August 2024 and 6 September 2024, causing a loss of £39 million and forcing 28,000 employees to attend a password reset. The NCA reported that attackers accessed data from the Oyster refund system, delayed refunds for some customers, and closed applications for Oyster photocards for children and young people. The defendants, members of Scattered Spider, had initially denied conspiring to commit unauthorised acts but changed their pleas to guilty at Woolwich Crown Court on Monday, ahead of trial. Flowers, from Walsall in the West Midlands, also admitted targeting US healthcare firms, pleading guilty over SSM Health Care Corporation and attempting unauthorised acts against Sutter Health. Investigators found multiple devices at his home and evidence of TfL connectivity, online credential sales and videos showing Jubair accessing TfL systems. The NCA said both men used Telegram and a shared online workspace.