UK authorities have arrested two teenagers linked to the notorious Scattered Spider cybercrime collective, charging them with the high-profile hack of Transport for London (TfL) that disrupted millions of commuters in August 2024.
The National Crime Agency (NCA) arrested Thalha Jubair, 19, and Owen Flowers, 18, at their homes on Tuesday following an extensive investigation into the TfL breach. Both face conspiracy charges under the Computer Misuse Act, with potential life imprisonment sentences due to the attack's impact on critical national infrastructure.
The arrests reveal the expanding reach of Scattered Spider, a loose collective of English-speaking cybercriminals that has orchestrated major attacks across the US and UK. Investigators discovered that Flowers allegedly targeted American healthcare giants SSM Health Care Corporation and Sutter Health, highlighting the group's cross-border operations.
"This attack caused significant disruption and millions in losses to TfL, part of the UK's critical national infrastructure," said Paul Foster, head of the NCA's National Cyber Crime Unit. The investigation involved collaboration between UK authorities and the FBI, with the US Department of Justice unsealing additional charges against Jubair.
The TfL hack represents a concerning trend of cybercriminals targeting essential public services. Transport for London serves over 5 million daily passengers, making any disruption to its systems a matter of national security and public safety.
These arrests come amid an unprecedented workload for the NCA's cybercrime unit, which is simultaneously investigating breaches at the Legal Aid Agency, National Health Service facilities, and major retailers including Marks & Spencer and Harrods.
Protection Measures: Organisations should implement multi-factor authentication, regular security audits, and employee training programs to defend against social engineering tactics commonly used by groups like Scattered Spider. The collective typically gains initial access through phishing attacks and social engineering before escalating privileges within targeted networks.
Both suspects appeared at Westminster Magistrates' Court on Thursday, with prosecutors seeking to remand them in custody pending trial.