Advertisement
TechExplainer

Scattered Spider: what is this hacking group and why does its TfL attack matter?

Explains the Scattered Spider hacking group, their 2024 TfL attack, and why it matters for UK readers.

Tech

Scattered Spider: what is this hacking group and why does its TfL attack matter?

Two teenage hackers had London's transport network at their mercy for four days in 2024, burrowing into the heart of Transport for London's IT systems and holding what a court called 'the keys to the kingdom'. Owen Flowers, 18, and Thalha Jubair, 20, were sentenced on 16 July 2026 to five years and six months in prison for a cyberattack that stole the personal data of up to 10 million TfL customers, forced all 27,000 employees to reset their passwords in person, and cost the authority £29 million in direct costs plus an estimated £10 million in lost income. They were members of Scattered Spider, a loosely connected English-speaking cybercrime group that the National Crime Agency (NCA) says represents the most significant cyber threat to the UK.

Scattered Spider is not a traditional organised crime gang. It is described by authorities as a loose collective of mostly young men aged 16 to 25 who communicate through messaging apps like Telegram. The group has been linked to dozens of high-profile attacks, including on casino giant MGM Resorts (2023), retailers Marks and Spencer and the Co-op (2025), airline WestJet, and cybersecurity firm Okta. What makes them particularly dangerous is their reliance on 'social engineering'—tricking employees into handing over access rather than exploiting technical vulnerabilities. In the TfL case, Flowers and Jubair called a phone help desk worker and convinced them to reset the password of an employee they were impersonating. Once inside, they escalated their privileges to create a 'domain admin' account, giving them almost unlimited control.

Explains the Scattered Spider hacking group, their 2024 TfL attack, and why it matters for UK readers.

The attack began at 5pm on 31 August 2024 and ran until 3 September. The pair livestreamed parts of the 16-hour hack online and boasted about searching TfL's customer database for the personal details of London celebrities. The NCA was alerted early, and TfL eventually 'pulled the plug' by disconnecting systems from the internet, but not before 148 technology systems were rendered inoperable. The dial-a-ride service for disabled and vulnerable Londoners was heavily disrupted, and online Oyster and contactless payment systems went down for weeks. Andy Lord, TfL's commissioner, called it the worst incident he had faced in his career. The sentencing was the largest cybercrime prosecution ever brought before UK courts, and only the second conviction under Section 3ZA of the Computer Misuse Act 1990, which covers acts that cause or risk serious damage.

Advertisement

For UK readers, the case is a stark reminder that cyberattacks can affect everyday life—from paying for a bus to booking a disabled transport service—and that the perpetrators are often young, isolated individuals operating from their bedrooms. The personal data of millions remains in criminal hands and is still being shared on illicit forums. The NCA says the jailing of these two hackers has 'severely' disrupted Scattered Spider's activity, but the group's brand may still be used by others.

Q: What is Scattered Spider? Scattered Spider is a loosely coordinated cybercrime group made up of English-speaking hackers, typically aged 16 to 25. They are known for using social engineering to break into corporate networks, and have claimed attacks on major companies such as MGM Resorts, Marks and Spencer, and the Co-op.

Q: How did the hackers break into TfL's systems? They tricked a phone help desk worker into resetting the password of an employee they were impersonating. This gave them access to TfL's network, where they created a 'domain admin' account that granted them the highest level of control—described in court as 'the keys to the kingdom'.

Advertisement

Q: What sentence did the two hackers receive and why? Owen Flowers and Thalha Jubair each received five years and six months in prison for the TfL attack. They pleaded guilty under Section 3ZA of the Computer Misuse Act, which covers reckless actions causing serious damage. The judge cited the sophistication of the attack, its massive impact, and the defendants' immaturity as factors in the sentence.

What happens next? The NCA says it has effectively halted Scattered Spider's criminal activity with these convictions, though other cybercriminals may continue to use the group's name. The stolen TfL data remains a risk to affected customers, and the NCA is continuing to investigate other members of the group both in the UK and abroad.

Advertisement
Advertisement