In a significant escalation of cybercrime, two teenagers linked to the August 2024 cyberattack on Transport for London (TfL) have been apprehended in the United Kingdom. This incident highlights the growing prevalence and sophistication of cyber threats targeting critical infrastructure and underscores the importance of stringent cybersecurity measures.
The suspects, identified as 18-year-old Owen Flowers from Walsall and 19-year-old Thalha Jubair from East London, are believed to be members of the notorious Scattered Spider hacking collective. They are slated to appear at Westminster Magistrates Court today. Flowers had previously been arrested in September 2024 for his alleged involvement in the TfL cyber incident but was released on bail after initial questioning by agents from the UK National Crime Agency (NCA).
Recently, NCA investigators uncovered additional evidence suggesting Flowers’ involvement in cyberattacks against U.S. healthcare organizations. Both suspects are facing serious charges related to computer misuse and fraud in connection with the TfL breach. Furthermore, Flowers is charged with conspiring to target the networks of the SSM Health Care Corporation and Sutter Health in the United States.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, remarked, “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.” He noted that the NCA had previously issued warnings about an uptick in cyber threats emanating from the UK and other English-speaking countries, with Scattered Spider representing a clear and present danger.
Thalha Jubair has also been charged by the U.S. Department of Justice with various conspiracies, including committing computer fraud, money laundering, and wire fraud. These charges relate to at least 120 network breaches and extortion attacks globally, affecting over 47 U.S. organizations between May 2022 and September 2025. According to the unsealed complaint in the District of New Jersey, victims have reportedly paid Jubair and his associates a staggering $115 million in ransom.
The Transport for London Cyberattack
The August 2024 cyberattack on TfL was publicly disclosed on September 2, 2024. Initially, TfL claimed that no customer data had been compromised in the breach. However, subsequent investigations revealed that sensitive customer information, including names, contact details, and addresses, had indeed been exposed. While critical transportation services were not disrupted, internal systems and online services experienced significant operational challenges, affecting TfL’s ability to process refunds efficiently.
TfL plays a vital role in London’s public transport ecosystem, serving over 8.4 million residents through its surface, underground, and Crossrail transport systems, jointly overseen with the UK’s Department for Transport.
This incident follows a previous security breach in May 2023, wherein the Clop ransomware gang infiltrated one of TfL’s supplier networks, stealing data from over 13,000 customers through vulnerabilities in the MOVEit Managed File Transfer (MFT) servers.
In July, the NCA apprehended four additional suspected members of the Scattered Spider collective, believed to be linked to cyberattacks against significant retailers, including Marks & Spencer, Harrods, and Co-op. These arrests underline the urgent need for organizations of all sizes to bolster their cybersecurity frameworks and invest in proactive threat detection and prevention strategies.
Current statistics reveal that 46% of environments experienced password breaches, nearly doubling from 25% in the previous year. This alarming trend signifies the necessity for improved authentication methods and robust password management protocols.
Stay informed and prepared by accessing the Picus Blue Report 2025 for comprehensive insights into emerging trends in prevention, detection, and data exfiltration.