What is known about the TfL cyber attack after two men admitted the £39m hack

On 22 June 2026, TfL faced a decisive court development after two young British men admitted offences linked to the £39m cyber attack that disrupted Transport for London’s online systems, refund services and customer access for months after the breach in late summer 2024, The WP Times reports. Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall in the West Midlands, changed their pleas at Woolwich Crown Court on the first day of what had been expected to be a six-week trial.

The case matters because it was not a remote technical incident hidden inside servers. The attack affected the transport authority behind London’s Underground, buses, Oyster cards, refunds, apps and passenger information systems. Investigators say the intrusion was linked to Scattered Spider, an English-speaking cybercrime collective already associated with attacks on major companies. TfL has previously said the incident caused months of disruption, while reports said up to 10 million customers were affected.

What happened in the TfL cyber attack case at Woolwich Crown Court

The two defendants pleaded guilty to conspiring to commit unauthorised acts against TfL’s computer systems under the Computer Misuse Act. The pleas were entered on Monday, 22 June 2026, at Woolwich Crown Court in London. Jubair and Flowers had originally been due to stand trial for six weeks, but the proceedings changed after they admitted the main TfL-related charge. Mr Justice Turner remanded both men in custody ahead of sentencing.

The sentencing hearing is scheduled to begin on 15 July 2026. That date is now the next key stage in a case that connects public transport, customer data, cybercrime and critical infrastructure. The court will have to consider the scale of the disruption, the cost to TfL and the wider public consequences of the attack. Flowers also admitted offences linked to attempts to hack US healthcare companies. The attack itself took place between late August and early September 2024. According to investigators, TfL’s network was infiltrated between 31 August and 3 September 2024. Other reporting places the broader period between 29 August and 3 September. TfL identified the cyber attack on 1 September 2024 and then began a long recovery process.

How did the TfL hack affect Oyster, refunds and London passengers

The most visible impact was on TfL’s online services. Passengers were unable to access some live travel information through digital channels, including Tube arrival data on TfL Go and the TfL website. Oyster and contactless app services were also affected, including payments and account registration functions. The disruption was not limited to one small technical department; it reached systems used by ordinary London passengers.

TfL’s Oyster refund system was accessed during the breach. That mattered because refund data can include sensitive customer information. Some passengers were left waiting much longer than usual for money they were owed. Applications for Oyster photocards for children and young people were also disrupted.

The incident created several practical consequences:

TfL later contacted more than 7 million customers to warn them that some data may have been taken. BBC reporting said the breach affected 10 million customers. Separately, TfL identified a smaller group of customers whose Oyster refund data included bank details. That distinction is important: not every affected person had the same type of data exposed.

Who are Thalha Jubair and Owen Flowers?

Thalha Jubair is 20 and from east London. Owen Flowers is 18 and from Walsall in the West Midlands. Both were arrested at their home addresses on 16 September 2025 as part of an investigation by the National Crime Agency and the City of London Police. They had previously denied the charges, but changed their pleas at the start of trial.

Investigators say both men were members of Scattered Spider. The group is not a formal company or a traditional gang with a public structure. It is described as an online criminal collective, known for using social engineering and digital intrusion methods against large organisations. The NCA has linked the TfL case to a wider pattern of English-speaking cybercriminal activity.

Flowers also admitted offences involving two US healthcare companies. He pleaded guilty to conspiring to commit unauthorised acts against systems belonging to SSM Health Care Corporation and attempting to commit unauthorised acts against systems belonging to Sutter Health. These admissions widen the case beyond London transport and into international healthcare targets.

Jubair has also been named in US allegations over wider cyber attacks. US prosecutors have accused him of involvement in attacks against dozens of organisations and ransom payments worth more than $100m. Those allegations sit alongside the UK case but are separate from the TfL guilty pleas.

What evidence did investigators find after the TfL cyber attack

The NCA said investigators seized laptops, desktop computers, hard drives and USB devices from Flowers’ home. One laptop contained a screenshot showing connectivity to TfL infrastructure. Investigators also found videos that appeared to show Jubair accessing TfL systems during the attack. The pair allegedly communicated through Telegram and an online collaborative workspace.

This evidence matters because cybercrime cases often depend on linking online identities, devices, messages and system access. A court has to understand not only that an attack happened, but who took part and how the activity was coordinated. In this case, investigators say the digital material connected the defendants to TfL infrastructure and to each other. Flowers was also found to have accessed an online tool used for breached credentials. The NCA described the inquiry as long and complex. Deputy Director Paul Foster called it a “painstaking investigation” and said the TfL incident showed cybercrime has “real-world consequences”. That point is central to the case. A hack against a transport authority can delay refunds, affect passenger information, expose data and force a public body to spend millions on recovery.

Why does Scattered Spider matter for Britain’s cyber security

Scattered Spider matters because it represents a shift in the threat picture. Major cyber attacks against British institutions have often been associated with Russian-speaking groups or overseas ransomware networks. This case points to a growing risk from UK-based and English-speaking offenders. That makes the threat more local, harder to dismiss and more relevant to British public services. The group has been linked by investigators and cyber specialists to attacks on major businesses. Those include incidents involving Jaguar Land Rover and retailers such as Marks & Spencer. The TfL case shows how similar tactics can affect public infrastructure. Even where trains and buses continue to run, digital disruption can still hit millions of passengers.

The wider lesson is that public bodies now depend on digital systems for routine services. Refunds, journey information, staff access, customer accounts and identity checks are not secondary functions. When those systems fail or are taken offline, the public feels the result quickly. The TfL case therefore belongs not only in the crime pages, but also in the debate over national resilience.

What did TfL say after the guilty pleas

London’s Transport Commissioner Andy Lord welcomed the guilty pleas. He said the security of TfL’s systems and customer data is extremely important and that the organisation continues to monitor and protect its systems. TfL has also said that it took action after the incident to contain the breach and restore services. The transport authority faced a difficult balance in the aftermath of the attack. It had to keep London moving while investigating the intrusion, protecting customer information and rebuilding affected systems. Some passengers saw direct disruption through app failures, refund delays or unavailable online services. Others were contacted because their data may have been affected.

TfL’s position is that protecting customer systems remains an ongoing duty. That is not just a technical promise. It is a public trust issue for a transport network used by millions of people. The £39m cost shows that cyber security failures can become financial, operational and political problems at the same time.

What happens next in the TfL cyber attack case

The next major date is 15 July 2026, when sentencing is due to begin. The court will consider the guilty pleas, the admitted offences, the scale of financial loss and the public impact. Flowers’ admissions involving US healthcare companies may also affect how his case is assessed. Jubair’s wider criminal history and separate US allegations may also be relevant to the overall picture presented in court.

For passengers, the immediate question is not whether the Tube will stop running because of this case. The more practical issue is whether customer data, refund systems and digital transport services are better protected now than they were in 2024. TfL has already spent heavily responding to the attack. The public will expect that money to translate into stronger systems and clearer communication. The case also sends a message to other public bodies. Cyber attacks do not need to shut down physical infrastructure to cause serious damage. A breach that interrupts apps, refunds, customer accounts and internal access can still cost tens of millions of pounds. In London, the TfL attack has become one of the clearest examples of how digital crime can move quickly from a screen into everyday public life.

Read about the life of Westminster and Pimlico district, London and the world. 24/7 news with fresh and useful updates on culture, business, technology and city life: Will Schools Close If Too Hot? What Parents Need To Know As Britain Faces 38C June Heatwave