Two men plead guilty over £39m TfL cyber attack

Two men have pleaded guilty to offences in connection with a massive cyber attack which caused Transport for London (TfL) months of disruption and cost the operator £39m.

Thalha Jubair, 20, from east London and Owen Flowers, 18, from Walsall in the West Midlands changed their pleas on what was expected to be the first day of a six-week trial at Woolwich Crown Court on Monday.

The pair admitted to charges of conspiring to commit unauthorised acts against TfL under the Computer Misuse Act.

TfL previously said the hack disrupted services for three months when it began on 31 August 2024. The BBC was told the breach affected 10m customers.

They both pleaded guilty on the basis they recklessly accessed the systems without intending to do so.

Flowers also pleaded guilty of attempting to hack computer systems belonging to California-based Sutter Health and another US company, SSM Healthcare Corporation.

The transport operator's online services were impacted and customers were unable to see some information boards because they went offline during the attack.

TfL wrote to thousands of customers to tell them about the unauthorised access to some personal information.

Data from TfL's Oyster refunds system was accessed and the incident also affected TfL's customer refund system, leaving some out of pocket for much longer than usual. It also closed down the application system for Oyster photocards for children and young people.

At the time of Flowers and Jubair's arrests, investigators from the National Crime Agency (NCA) said they believed the "network intrusion" in summer 2024 was carried out by the online criminal group known as Scattered Spider.

Following the guilty pleas, the NCA said both men were had been arrested at their home addresses on 16 September 2024 as part of a joint investigation with the City of London Police.

The agency said investigators seized laptops, desktop computers, hard drives and USB devices from Flowers' home.

One laptop contained a screenshot showing connectivity to TfL infrastructure, while videos found on the device appeared to show Jubair accessing TfL systems during the attack. The NCA said the pair communicated via Telegram and an online collaborative workspace.

Flowers was also found to have accessed an online tool selling breached credentials, according to investigators.

Judge Mr Justice Turner thanked all the legal representatives, expressing gratitude for the "hard work" that had enabled the court to find a "satisfactory way forward".

NCA Deputy Director Paul Foster described the case as a "lengthy, highly complex and painstaking investigation".

"Cyber crime may appear faceless and distant compared to other crime types, but the infiltration of TfL's systems shows it has real-world consequences and impacts hugely on the public," he said.

"The attack caused millions of pounds in losses to a key part of the UK's critical national infrastructure, and was a significant inconvenience for customers."

The two men will be sentenced on 15 July.

Andy Lord, London's Transport Commissioner, said he welcomed the guilty pleas.

"The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL," he added.

Listen to the best of BBC Radio London on Sounds and follow BBC London on Facebook, X and Instagram. Send your story ideas to hello.bbclondon@bbc.co.uk