The cyber attack on **Transport for London (TfL)**, executed by the teenage hacker collective **Scattered Spider**, caused **$53 million in damages** and **three months of operational downtime**. The breach led to the **potential compromise of sensitive data**, including **employee names, emails, home addresses, and some customer data**. The attack severely disrupted TfL’s transport services, highlighting vulnerabilities in critical infrastructure. Two defendants—**Thalha Jubair (19) and Owen Flowers (18)**—pleaded not guilty, with the trial scheduled for **June 2026**. The incident underscores the rising threat of **cyber attacks on public services**, with far-reaching financial and reputational consequences.
Transport for London cybersecurity rating report: https://www.rankiteo.com/company/transport-for-london
"id": "TRA5292652112125",
"linkid": "transport-for-london",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Some TfL customers (data '
'potentially compromised)',
'industry': 'Transportation',
'location': 'London, UK',
'name': 'Transport for London (TfL)',
'type': 'Government Agency / Public Transport '
'Authority'},
{'customers_affected': 'Potentially numerous clients '
'relying on Oracle’s cloud '
'services',
'industry': 'Technology / Cloud Services',
'location': 'Austin, Texas, USA (HQ)',
'name': 'Oracle Corporation',
'type': 'Public Company'}],
'attack_vector': ['Unauthorized use of computer systems (TfL)',
'Zero-Day Exploit in Oracle E-Business Suite Servers '
'(Oracle)'],
'customer_advisories': ['Oracle clients advised to remain vigilant and update '
'security protocols'],
'data_breach': {'data_exfiltration': [None,
'Yes (data released on the dark web by '
'Clop)'],
'personally_identifiable_information': ['Yes (TfL)', None],
'sensitivity_of_data': ['High (personal and employee data for '
'TfL)',
'High (corporate and client data for '
'Oracle)'],
'type_of_data_compromised': ['Personal details (employee '
'names, emails, home addresses); '
'some customer data (TfL)',
'Corporate and client '
'information (Oracle)']},
'date_detected': ['2024-08-01', '2024-09-01'],
'description': 'Two separate cyber incidents: (1) Teenagers from the hacker '
"collective 'Scattered Spider' were charged in connection with "
'a cyber attack on Transport for London (TfL), causing $53 '
'million in damages and three months of downtime. (2) The Clop '
'ransomware gang exploited a zero-day vulnerability in '
'Oracle’s E-Business Suite Servers, leading to a significant '
'data breach with potential exposure of corporate and client '
'information.',
'impact': {'brand_reputation_impact': ['Likely negative (TfL and Oracle)',
None],
'data_compromised': ['Employee names, emails, home addresses; some '
'TfL customer data (TfL)',
'Potentially extensive corporate and client '
'information (Oracle)'],
'downtime': ['Nearly three months (TfL)', None],
'financial_loss': ['$53 million (TfL)', None],
'identity_theft_risk': ['Potential (TfL employee and customer '
'data)',
None],
'legal_liabilities': ['Ongoing trial for two teenagers (TfL)',
None],
'operational_impact': ['Significant disruptions to TfL’s '
'operations (TfL)',
'Ongoing investigation; potential risks to '
'Oracle cloud service clients (Oracle)'],
'systems_affected': ['TfL’s transport service operations (TfL)',
'Oracle’s E-Business Suite Servers (Oracle)']},
'initial_access_broker': {'data_sold_on_dark_web': [None,
'Yes (Oracle data '
'released on dark web by '
'Clop)']},
'investigation_status': ['Ongoing trial (TfL); trial date set for June 8, '
'2026',
'Ongoing investigation (Oracle)'],
'motivation': ['Unclear (potentially disruption or data theft for TfL)',
'Financial gain / extortion (Oracle)'],
'post_incident_analysis': {'root_causes': [None,
'Exploitation of zero-day '
'vulnerability in Oracle '
'E-Business Suite Servers']},
'ransomware': {'data_encryption': [None, None],
'data_exfiltration': [None, 'Yes (Oracle)'],
'ransom_demanded': [None, None],
'ransom_paid': [None, None],
'ransomware_strain': [None, 'Clop']},
'recommendations': ['Businesses using Oracle’s software advised to update '
'security protocols (Oracle)'],
'references': [{'source': 'News report on TfL cyber attack and court '
'proceedings'},
{'source': 'Cybersecurity analysis of Clop ransomware attack '
'on Oracle'}],
'regulatory_compliance': {'legal_actions': ['Ongoing trial for two teenagers '
'(TfL)',
None]},
'response': {'containment_measures': [None, 'Ongoing (Oracle)'],
'incident_response_plan_activated': ['Investigation by National '
'Crime Agency (NCA) and '
'City of London Police '
'(TfL)',
'Oracle collaborating with '
'cybersecurity '
'professionals (Oracle)'],
'law_enforcement_notified': ['Yes (NCA and City of London Police '
'for TfL)',
None],
'third_party_assistance': [None,
'Cybersecurity professionals '
'(Oracle)']},
'threat_actor': ['Scattered Spider (Teenage hacker collective)',
'Clop Ransomware Gang (Graceful Spider)'],
'title': 'Cyber Attack on Transport for London (TfL) and Oracle Corporation '
'Breach by Clop Ransomware',
'type': ['Unauthorized Access / Disruption (TfL)',
'Ransomware / Data Breach (Oracle)'],
'vulnerability_exploited': ['Zero-Day vulnerability in Oracle E-Business '
'Suite Servers']}