In August 2024, Transport for London (TfL) suffered a cyberattack attributed to the Scattered Spider hacking collective, involving two arrested teenagers (18-year-old Owen Flowers and 19-year-old Thalha Jubair). Initially, TfL claimed no customer data was compromised, but later confirmed the breach included names, contact details, and addresses of customers. The attack disrupted internal systems, online services, and refund processing, causing millions in financial losses and operational disruptions. TfL, a critical infrastructure provider serving 8.4 million Londoners, had previously faced a 2023 Clop ransomware attack via a third-party MOVEit server, exposing data of 13,000+ customers. The 2024 incident was part of a broader campaign by Scattered Spider, which also targeted U.S. healthcare providers (SSM Health, Sutter Health) and extorted $115M+ globally from 47+ U.S. organizations. While the attack did not halt transport services, it compromised customer PII and crippled administrative functions, aligning with patterns of financially motivated cybercrime with reputational and operational fallout. The NCA linked the group to 120+ breaches worldwide, highlighting its role in large-scale extortion and fraud.
TPRM report: https://www.rankiteo.com/company/transport-for-london
"id": "tra2592425091825",
"linkid": "transport-for-london",
"type": "Cyber Attack",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Transportation',
'location': 'London, UK',
'name': 'Transport for London (TfL)',
'size': 'Large (serves 8.4M+ Londoners)',
'type': 'Government Agency'},
{'industry': 'Healthcare',
'location': 'United States',
'name': 'SSM Health Care Corporation',
'type': 'Private Company'},
{'industry': 'Healthcare',
'location': 'United States',
'name': 'Sutter Health',
'type': 'Private Company'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Marks & Spencer',
'type': 'Private Company'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Harrods',
'type': 'Private Company'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Co-op',
'type': 'Private Company'}],
'attack_vector': ['Social Engineering (likely)',
'Network Intrusion',
'Exploitation of Vulnerabilities'],
'customer_advisories': ['Initial denial of data compromise (later corrected)'],
'data_breach': {'data_exfiltration': 'Yes (initially denied, later confirmed)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Moderate (names, contact details, '
'addresses)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2024-08-01',
'date_publicly_disclosed': '2024-09-02',
'description': 'Two teenagers, Owen Flowers (18) and Thalha Jubair (19), '
'members of the Scattered Spider hacking collective, were '
'arrested in the UK for their alleged involvement in the '
'August 2024 cyberattack on Transport for London (TfL). The '
'attack disrupted internal systems and online services, '
'including refund processing, and later revealed the '
'compromise of customer data (names, contact details, and '
'addresses). Flowers also faces charges for attacks on U.S. '
'healthcare companies (SSM Health Care Corporation and Sutter '
'Health). Jubair is accused of involvement in at least 120 '
'global network breaches and extortion attacks, with victims '
'paying over $115M in ransoms. The NCA linked Scattered Spider '
'to prior attacks on UK retailers like Marks & Spencer, '
'Harrods, and Co-op.',
'impact': {'brand_reputation_impact': 'High (critical national infrastructure '
'targeted)',
'data_compromised': ['Customer names',
'Contact details',
'Addresses'],
'financial_loss': 'Millions (exact amount undisclosed)',
'identity_theft_risk': 'Moderate (PII compromised)',
'legal_liabilities': ['Computer misuse charges (UK)',
'Fraud-related charges (UK)',
'Conspiracy to commit computer fraud, money '
'laundering, and wire fraud (U.S.)'],
'operational_impact': ['Disruption of internal operations',
'Inability to process refunds',
'No impact on transportation services'],
'systems_affected': ['Internal systems',
'Online services',
'Refund processing systems']},
'initial_access_broker': {'high_value_targets': ['Transportation (TfL)',
'Healthcare (SSM Health, '
'Sutter Health)',
'Retail (Marks & Spencer, '
'Harrods, Co-op)']},
'investigation_status': 'Ongoing (court proceedings, additional evidence '
'gathering)',
'motivation': ['Financial Gain', 'Extortion', 'Disruption'],
'ransomware': {'data_exfiltration': 'Yes (alleged in broader Scattered Spider '
'operations)'},
'references': [{'source': 'UK National Crime Agency (NCA) Press Release'},
{'source': 'U.S. Department of Justice Complaint (District of '
'New Jersey)'},
{'source': 'Transport for London (TfL) Public Disclosure '
'(2024-09-02)'}],
'regulatory_compliance': {'legal_actions': ['Arrests (UK)',
'Criminal charges (UK and U.S.)',
'Prosecution for computer misuse '
'and fraud']},
'response': {'communication_strategy': ['Public disclosure on 2024-09-02',
'Updates on data compromise'],
'incident_response_plan_activated': 'Yes (TfL and NCA '
'involvement)',
'law_enforcement_notified': 'Yes (UK National Crime Agency, U.S. '
'Department of Justice)'},
'threat_actor': ['Scattered Spider (hacking collective)',
'Owen Flowers (18, Walsall, UK)',
'Thalha Jubair (19, East London, UK)'],
'title': 'Cyberattack on Transport for London (TfL) by Scattered Spider '
'Hacking Collective',
'type': ['Cyberattack',
'Data Breach',
'Disruption of Services',
'Ransomware (alleged)',
'Extortion']}