In August 2024, **Transport for London (TfL)** suffered a cyber-attack orchestrated by suspected members of the **Scattered Spider** group, specifically **Thalha Jubair (19) and Owen Flowers (18)**, who were later charged under the UK’s **Computer Misuse Act**. The breach compromised **sensitive personal data of ~5,000 customers**, including **Oyster refund records with bank account numbers and sort codes**. The attack disrupted TfL’s operations, incurring **£30m (~$40.6m) in total costs**, with **£5m (~$6.7m) spent on external recovery efforts**. The incident targeted **critical national infrastructure**, highlighting the group’s focus on high-impact extortion. Jubair alone was linked to **120+ network intrusions** and **$115m in ransom payments** across 47 US entities, with cryptocurrency transfers (e.g., **$8.4m moved during law enforcement seizures**) suggesting sophisticated financial exploitation. The attack underscored the **growing threat of UK-based cybercriminal syndicates** leveraging **social engineering** to infiltrate systems, extort victims, and evade detection through minimal digital trails.
Source: https://www.infosecurity-magazine.com/news/us-uk-charge-scattered-spider/
TPRM report: https://www.rankiteo.com/company/transport-for-london
"id": "tra2285022110725",
"linkid": "transport-for-london",
"type": "Cyber Attack",
"date": "8/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '5,000',
'industry': 'transportation',
'location': 'London, UK',
'name': 'Transport for London (TfL)',
'type': 'government agency'},
{'industry': 'judicial/legal',
'location': 'USA',
'name': 'US Courts (unspecified)',
'type': 'government'},
{'industry': 'critical infrastructure',
'location': 'USA',
'name': 'US Critical Infrastructure Firm (unspecified)',
'type': 'private company'},
{'industry': 'healthcare',
'location': 'USA',
'name': 'SSM Health Care Corporation',
'type': 'healthcare provider'},
{'industry': 'healthcare',
'location': 'USA',
'name': 'Sutter Health',
'type': 'healthcare provider'},
{'industry': 'retail',
'location': 'UK',
'name': 'Marks & Spencer',
'type': 'retailer'},
{'industry': 'retail',
'location': 'UK',
'name': 'Co-op',
'type': 'retailer'},
{'industry': 'luxury retail',
'location': 'UK',
'name': 'Harrods',
'type': 'retailer'}],
'attack_vector': ['social engineering',
'unauthorized network access',
'ransomware'],
'customer_advisories': ['TfL likely issued advisories to affected customers '
'regarding data exposure.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5,000 (TfL customers)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data (bank account '
'numbers, sort codes)',
'Oyster refund data']},
'date_publicly_disclosed': '2025-09-18',
'description': 'US and UK authorities have charged two suspected members of '
'the Scattered Spider cybercrime group—Thalha Jubair (19, UK) '
'and Owen Flowers (18, UK)—with offenses tied to high-profile '
'cyber-attacks. The attacks targeted US courts, a US critical '
'infrastructure firm, and the UK’s Transport for London (TfL). '
'Jubair is accused of 120+ network intrusions and extortion '
'involving 47 US entities, with victims paying at least $115M '
'in ransoms. The TfL hack compromised sensitive data of ~5,000 '
'customers (including bank details) and cost £30M ($40.6M) in '
'recovery. The arrests follow a collaborative investigation by '
'UK, US, and international law enforcement agencies.',
'impact': {'brand_reputation_impact': ['potential reputational damage to TfL, '
'US courts, and healthcare providers'],
'data_compromised': {'data_types': ['Oyster refund data',
'bank account numbers',
'sort codes'],
'tfl_customers': '5,000 records'},
'financial_loss': {'external_support_cost': '£5M ($6.7M)',
'tfl_incident': '£30M ($40.6M)',
'total': '$115M+ (ransom payments)'},
'identity_theft_risk': ['high (bank account details exposed)'],
'legal_liabilities': ['charges under Computer Misuse Act (UK)',
'conspiracy to commit computer fraud, wire '
'fraud, and money laundering (US)',
'RIPA charges for failing to disclose device '
'passwords (UK)'],
'operational_impact': ['significant disruption to TfL (UK critical '
'national infrastructure)',
'recovery efforts requiring external '
'support'],
'payment_information_risk': ['high (bank account numbers and sort '
'codes compromised)'],
'systems_affected': ['US court systems',
'US critical infrastructure firm',
'Transport for London (TfL)',
'SSM Health Care Corporation',
'Sutter Health']},
'initial_access_broker': {'entry_point': ['social engineering'],
'high_value_targets': ['US courts',
'critical infrastructure',
'healthcare providers',
'retailers']},
'investigation_status': 'ongoing (charges filed, court proceedings initiated)',
'lessons_learned': ['Collaborative international law enforcement efforts are '
'critical in disrupting cybercrime groups.',
'Social engineering remains a highly effective attack '
'vector for gaining unauthorized access.',
'Teenage cybercriminals pose a growing threat, leveraging '
'technical skills for financial gain.',
'Evidence collection in cybercrime cases is challenging '
'but achievable with thorough investigation.'],
'motivation': ['financial gain', 'extortion'],
'post_incident_analysis': {'corrective_actions': ['Strengthen identity '
'verification protocols.',
'Implement stricter access '
'controls and monitoring '
'for high-value targets.',
'Enhance incident response '
'plans to include '
'ransomware-specific '
'playbooks.',
'Conduct regular red-team '
'exercises to test defenses '
'against social '
'engineering.'],
'root_causes': ['Successful social engineering '
'attacks leading to unauthorized '
'access.',
'Inadequate defenses against '
'ransomware and extortion tactics.',
'Exploitation of human '
'vulnerabilities (e.g., phishing, '
'impersonation).']},
'ransomware': {'data_exfiltration': True,
'ransom_paid': '$115M+ (across 47 US entities)'},
'recommendations': ['Enhance employee training to mitigate social engineering '
'risks.',
'Strengthen multi-factor authentication (MFA) and access '
'controls.',
'Improve cross-border law enforcement coordination to '
'track and prosecute cybercriminals.',
'Monitor dark web activity for signs of data leaks or '
'ransomware negotiations.',
'Invest in proactive threat intelligence to identify '
'emerging cybercrime groups.'],
'references': [{'date_accessed': '2025-09-18',
'source': 'US Department of Justice (District of New Jersey)'},
{'date_accessed': '2025-09-18',
'source': 'UK National Crime Agency (NCA)'},
{'date_accessed': '2025-09-18',
'source': 'Westminster Magistrates Court (UK)'},
{'date_accessed': '2025-09',
'source': 'ESET (Jake Moore, Global Cybersecurity Advisor)'}],
'regulatory_compliance': {'legal_actions': ['arrests (2025-09-16)',
'charges unsealed (2025-09-18)',
'court appearances (Westminster '
'Magistrates Court)'],
'regulations_violated': ['Computer Misuse Act (UK)',
'Regulation of '
'Investigatory Powers Act '
'(RIPA, UK)',
'US laws on computer '
'fraud, wire fraud, and '
'money laundering']},
'response': {'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['external support for TfL'],
'third_party_assistance': ['external support for TfL recovery '
'(cost: £5M)']},
'threat_actor': ['Scattered Spider',
'Thalha Jubair (aka EarthtoStar, Brad, Austin, @autistic)',
'Owen Flowers'],
'title': 'Scattered Spider Cybercrime Group Members Charged in High-Profile '
'Attacks on US Courts, Critical Infrastructure, and Transport for '
'London (TfL)',
'type': ['cybercrime',
'ransomware',
'data breach',
'social engineering',
'extortion']}