Two men have pleaded guilty to offences linked to a major cyber attack on Transport for London (TfL) that caused months of disruption and cost the transport authority an estimated £39 million. Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall in the West Midlands, changed their pleas at Woolwich Crown Court on Monday, where a six-week trial had been due to begin.
The pair admitted conspiring to commit unauthorised acts against TfL’s computer systems, contrary to the Computer Misuse Act. The cyber attack, which began on August 31, 2024, disrupted TfL services for around three months. The transport operator previously revealed that the breach affected approximately 10 million customers and resulted in significant operational and financial consequences.
According to prosecutors, the attack impacted several online services, while some customer information boards across the network went offline. TfL was also forced to contact thousands of customers after unauthorised access to personal data was discovered.
Jubair and Flowers admitted accessing TfL systems without authorisation but maintained that they acted recklessly rather than with the intention of causing damage. In addition to the TfL-related offence, Flowers pleaded guilty to attempting to gain unauthorised access to computer systems belonging to two American healthcare organisations — California-based Sutter Health and SSM Health Care Corporation.
Investigators from the National Crime Agency (NCA) previously linked the 2024 attack to the cybercriminal group known as “Scattered Spider,” a network that has been associated with several high-profile cyber intrusions worldwide.
Following the guilty pleas, Judge Mr Justice Turner thanked the legal teams involved, praising their efforts in reaching what he described as a “satisfactory way forward” in the case.Sentencing is expected to take place at a later date.


