Sutter Health and SSM Health: Two Scattered Spider hackers plead guilty over Transport for London cyberattack

Sutter Health and SSM Health: Two Scattered Spider hackers plead guilty over Transport for London cyberattack

Scattered Spider Hackers Plead Guilty in £29M TfL Cyberattack

Two members of the cybercriminal group Scattered Spider Thalha Jubair (20, London) and Owen Flowers (18, Walsall) have pleaded guilty to charges under the UK’s Computer Misuse Act for their roles in a 2024 cyberattack on Transport for London (TfL). The breach, which occurred between 31 August and 3 September 2024, resulted in £29 million in losses and recovery costs, disrupted critical services, and forced TfL to reset passwords for all 28,000 employees in person.

The attack targeted TfL’s Oyster refunds system, delaying customer reimbursements and shutting down the application portal for Oyster photocards used by children and young people. The National Crime Agency (NCA) confirmed that the hackers accessed sensitive data, causing prolonged inconvenience for millions of daily commuters.

Investigators linked Flowers to additional intrusions, including breaches of U.S. healthcare providers SSM Health and Sutter Health. Seized devices including laptops, hard drives, and USB storage contained screenshots of TfL infrastructure access and videos of Jubair navigating TfL systems, with the pair communicating via Telegram and an online collaboration platform.

Flowers was first arrested on 6 September 2024 and later breached bail conditions twice in 2025. Both suspects were apprehended at their homes on 16 September 2025 by the NCA and City of London Police.

Deputy Director Paul Foster of the NCA’s National Cyber Crime Unit emphasized the real-world impact of the attack, stating it inflicted financial harm on critical national infrastructure and disrupted public services. Deputy Commissioner Nik Adams of the City of London Police warned that such attacks would face serious consequences.

Sentencing for Jubair and Flowers is scheduled for 16 July.

Source: https://www.helpnetsecurity.com/2026/06/23/transport-london-cyberattack-scattered-spider-members-plead-guilty/

Sutter Health TPRM report: https://www.rankiteo.com/company/sutter-health

SSM Health TPRM report: https://www.rankiteo.com/company/cambridge-assessment-english

"id": "sutcam1782210474",
"linkid": "sutter-health, cambridge-assessment-english",
"type": "Breach",
"date": "8/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Millions of daily commuters',
                        'industry': 'Transportation',
                        'location': 'London, UK',
                        'name': 'Transport for London (TfL)',
                        'type': 'Public transportation authority'},
                       {'industry': 'Healthcare',
                        'location': 'U.S.',
                        'name': 'SSM Health',
                        'type': 'Healthcare provider'},
                       {'industry': 'Healthcare',
                        'location': 'U.S.',
                        'name': 'Sutter Health',
                        'type': 'Healthcare provider'}],
 'data_breach': {'type_of_data_compromised': 'Sensitive data'},
 'date_detected': '2024-09-03',
 'description': 'Two members of the cybercriminal group Scattered Spider, '
                'Thalha Jubair (20, London) and Owen Flowers (18, Walsall), '
                'pleaded guilty to charges under the UK’s Computer Misuse Act '
                'for their roles in a 2024 cyberattack on Transport for London '
                '(TfL). The breach resulted in £29 million in losses and '
                'recovery costs, disrupted critical services, and forced TfL '
                'to reset passwords for all 28,000 employees in person. The '
                'attack targeted TfL’s Oyster refunds system, delaying '
                'customer reimbursements and shutting down the application '
                'portal for Oyster photocards used by children and young '
                'people. The National Crime Agency (NCA) confirmed that the '
                'hackers accessed sensitive data, causing prolonged '
                'inconvenience for millions of daily commuters.',
 'impact': {'data_compromised': 'Sensitive data',
            'financial_loss': '£29 million',
            'operational_impact': 'Disrupted critical services, delayed '
                                  'customer reimbursements, forced password '
                                  'resets for 28,000 employees',
            'systems_affected': ['Oyster refunds system',
                                 'Oyster photocards application portal']},
 'investigation_status': 'Concluded with guilty pleas',
 'motivation': 'Financial gain',
 'references': [{'source': 'National Crime Agency (NCA)'}],
 'regulatory_compliance': {'legal_actions': 'Guilty plea',
                           'regulations_violated': ['Computer Misuse Act']},
 'response': {'containment_measures': 'Password resets for 28,000 employees',
              'law_enforcement_notified': 'Yes'},
 'threat_actor': 'Scattered Spider',
 'title': 'Scattered Spider Hackers Plead Guilty in £29M TfL Cyberattack',
 'type': 'Cyberattack'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.