In August 2024, **Transport for London (TfL)** suffered a cyberattack attributed to the **Scattered Spider** hacking collective, involving two arrested teenagers (18-year-old Owen Flowers and 19-year-old Thalha Jubair). Initially, TfL claimed no customer data was compromised, but later confirmed the breach included **names, contact details, and addresses** of customers. The attack disrupted **internal systems, online services, and refund processing**, causing **millions in financial losses** and operational disruptions. TfL, a critical infrastructure provider serving **8.4 million Londoners**, had previously faced a **2023 Clop ransomware attack** via a third-party MOVEit server, exposing data of **13,000+ customers**. The 2024 incident was part of a broader campaign by Scattered Spider, which also targeted **U.S. healthcare providers (SSM Health, Sutter Health)** and extorted **$115M+ globally** from 47+ U.S. organizations. While the attack did not halt transport services, it compromised **customer PII** and crippled administrative functions, aligning with patterns of **financially motivated cybercrime** with **reputational and operational fallout**. The NCA linked the group to **120+ breaches worldwide**, highlighting its role in **large-scale extortion and fraud**.
TPRM report: https://www.rankiteo.com/company/transport-for-london
"id": "tra2592425091825",
"linkid": "transport-for-london",
"type": "Cyber Attack",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Transportation',
'location': 'London, UK',
'name': 'Transport for London (TfL)',
'size': 'Large (serves 8.4M+ Londoners)',
'type': 'Government Agency'},
{'industry': 'Healthcare',
'location': 'United States',
'name': 'SSM Health Care Corporation',
'type': 'Private Company'},
{'industry': 'Healthcare',
'location': 'United States',
'name': 'Sutter Health',
'type': 'Private Company'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Marks & Spencer',
'type': 'Private Company'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Harrods',
'type': 'Private Company'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Co-op',
'type': 'Private Company'}],
'attack_vector': ['Social Engineering (likely)',
'Network Intrusion',
'Exploitation of Vulnerabilities'],
'customer_advisories': ['Initial denial of data compromise (later corrected)'],
'data_breach': {'data_exfiltration': 'Yes (initially denied, later confirmed)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Moderate (names, contact details, '
'addresses)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2024-08-01',
'date_publicly_disclosed': '2024-09-02',
'description': 'Two teenagers, Owen Flowers (18) and Thalha Jubair (19), '
'members of the Scattered Spider hacking collective, were '
'arrested in the UK for their alleged involvement in the '
'August 2024 cyberattack on Transport for London (TfL). The '
'attack disrupted internal systems and online services, '
'including refund processing, and later revealed the '
'compromise of customer data (names, contact details, and '
'addresses). Flowers also faces charges for attacks on U.S. '
'healthcare companies (SSM Health Care Corporation and Sutter '
'Health). Jubair is accused of involvement in at least 120 '
'global network breaches and extortion attacks, with victims '
'paying over $115M in ransoms. The NCA linked Scattered Spider '
'to prior attacks on UK retailers like Marks & Spencer, '
'Harrods, and Co-op.',
'impact': {'brand_reputation_impact': 'High (critical national infrastructure '
'targeted)',
'data_compromised': ['Customer names',
'Contact details',
'Addresses'],
'financial_loss': 'Millions (exact amount undisclosed)',
'identity_theft_risk': 'Moderate (PII compromised)',
'legal_liabilities': ['Computer misuse charges (UK)',
'Fraud-related charges (UK)',
'Conspiracy to commit computer fraud, money '
'laundering, and wire fraud (U.S.)'],
'operational_impact': ['Disruption of internal operations',
'Inability to process refunds',
'No impact on transportation services'],
'systems_affected': ['Internal systems',
'Online services',
'Refund processing systems']},
'initial_access_broker': {'high_value_targets': ['Transportation (TfL)',
'Healthcare (SSM Health, '
'Sutter Health)',
'Retail (Marks & Spencer, '
'Harrods, Co-op)']},
'investigation_status': 'Ongoing (court proceedings, additional evidence '
'gathering)',
'motivation': ['Financial Gain', 'Extortion', 'Disruption'],
'ransomware': {'data_exfiltration': 'Yes (alleged in broader Scattered Spider '
'operations)'},
'references': [{'source': 'UK National Crime Agency (NCA) Press Release'},
{'source': 'U.S. Department of Justice Complaint (District of '
'New Jersey)'},
{'source': 'Transport for London (TfL) Public Disclosure '
'(2024-09-02)'}],
'regulatory_compliance': {'legal_actions': ['Arrests (UK)',
'Criminal charges (UK and U.S.)',
'Prosecution for computer misuse '
'and fraud']},
'response': {'communication_strategy': ['Public disclosure on 2024-09-02',
'Updates on data compromise'],
'incident_response_plan_activated': 'Yes (TfL and NCA '
'involvement)',
'law_enforcement_notified': 'Yes (UK National Crime Agency, U.S. '
'Department of Justice)'},
'threat_actor': ['Scattered Spider (hacking collective)',
'Owen Flowers (18, Walsall, UK)',
'Thalha Jubair (19, East London, UK)'],
'title': 'Cyberattack on Transport for London (TfL) by Scattered Spider '
'Hacking Collective',
'type': ['Cyberattack',
'Data Breach',
'Disruption of Services',
'Ransomware (alleged)',
'Extortion']}