Two teenagers have been formally charged in connection with a significant cyber attack against Transport for London (TfL) that occurred in late August and early September 2024. The attack, attributed to the Scattered Spider cybercrime collective, caused substantial disruption to TfL’s online services and resulted in financial losses exceeding £30 million. The National Crime Agency (NCA) and City of London Police arrested Owen Flowers, aged 18 from Walsall, and Thalha Jubair, aged 19 from East London, at their home addresses on September 16, 20251. Both defendants appeared at Westminster Magistrates’ Court on September 18, 2025, to face charges2.
The Crown Prosecution Service (CPS) authorized the charges following an extensive investigation by the NCA. Chief prosecutor Hannah von Dadelszen stated that prosecutors found sufficient evidence to proceed and that a trial is in the public interest3. This case represents a continued effort by UK authorities to combat the threat posed by cybercrime groups, particularly those involving young, English-speaking individuals.
**TL;DR for Security Leadership**
* **Who:** Owen Flowers (18) and Thalha Jubair (19), alleged members of Scattered Spider.
* **What:** Charged with conspiracy under the Computer Misuse Act 1990 for the TfL attack.
* **Impact:** TfL online services disrupted; financial impact >£30M; no core transit services halted.
* **Additional Charges:** Flowers charged for attacks on US healthcare firms; Jubair charged for refusing to provide passwords under RIPA 2000.
* **Context:** Part of a wider crackdown on Scattered Spider, following four arrests in July 2025 for attacks on UK retailers.
The primary charge against both individuals is conspiracy to commit an unauthorised act in relation to a computer, intending to cause or create a risk of serious damage to human welfare and/or national security, contrary to the Computer Misuse Act 19904. This is a serious offence that carries a maximum sentence of life imprisonment, reflecting the potential severity of the damage such attacks can cause to critical national infrastructure. The attack did not halt core transit services like the Underground but significantly disrupted ancillary online systems. Third-party APIs, such as those used by journey planning applications like Citymapper, and customer login portals for contactless and Oyster payment accounts were taken offline for a considerable period5.
Beyond the collective charge related to TfL, each defendant faces additional allegations. Owen Flowers has been charged with two further counts of the same Computer Misuse Act offence, related to alleged cyber attacks against U.S. healthcare companies SSM Health Care Corporation and Sutter Health6. This indicates a broader pattern of alleged activity targeting large organizations across different sectors and geographies. Thalha Jubair faces an additional charge for failing to comply with a Section 49 notice under the Regulation of Investigatory Powers Act (RIPA) 2000, having refused to provide passwords to seized devices during the investigation7.
The NCA has confirmed its strong belief that both individuals are involved with the Scattered Spider cybercrime collective8. This group has been linked to numerous high-profile attacks, often utilizing social engineering and supply chain compromise techniques to gain initial access. This arrest wave follows the apprehension of four other individuals in July 2025 in connection with Scattered Spider attacks on UK retailers Marks & Spencer, Co-op, and Harrods, signaling a concerted effort by UK law enforcement to dismantle the group’s operations9.
Paul Foster, NCA Deputy Director, stated that this case exemplifies the increased threat from UK and English-speaking cybercriminals. He highlighted the commitment of the NCA, UK policing, and international partners like the FBI to pursue such offenders relentlessly10. The collaboration between national and international agencies was likely crucial in investigating the transatlantic aspects of the charges against Flowers. A historical note reveals that Owen Flowers was previously arrested and questioned over the TfL attack in September 2024 but was released on bail; as he was a minor at the time, his identity was not previously disclosed11.
Operational Security and Infrastructure Implications
The TfL attack underscores the persistent threat to critical national infrastructure (CNI) from agile cybercrime collectives. While the core operational technology (OT) systems controlling trains remained unaffected, the compromise of customer-facing IT systems still resulted in severe financial and operational repercussions. For security teams, this highlights the necessity of extending robust security monitoring and controls beyond core operational networks to encompass all public-facing APIs, customer identity systems, and third-party integration points. The significant financial cost of incident response, investigation, and remediation, reported to be at least £5 million, serves as a stark reminder of the total cost of ownership following a security incident.
Legal and Investigative Considerations
The application of the Computer Misuse Act 1990, particularly the clause pertaining to risk of serious damage to human welfare or national security, demonstrates the legal framework’s capacity to address modern cyber threats against CNI. The additional charge under RIPA 2000 for failing to provide encryption keys is a powerful tool for investigators but remains a complex legal area. For organizations, this case reinforces the importance of having clear policies and procedures for interacting with law enforcement during an investigation, including understanding legal obligations around data disclosure.
Attribution and Threat Actor Tactics
The linkage of these individuals to Scattered Spider provides valuable context regarding the group’s composition and tactics. Scattered Spider is known for its use of social engineering, often targeting IT help desks to gain initial access, and subsequently employing legitimate remote access and identity tools for persistence. This case suggests the group’s operations may involve younger individuals with high technical proficiency. Security teams should therefore ensure defensive measures are effective against these low-sophistication but high-impact techniques, such as enhancing help desk verification processes and monitoring for anomalous use of remote access software.
Conclusion
The charging of two teenagers in connection with the TfL cyber attack represents a significant development in the ongoing effort to combat the Scattered Spider collective. It illustrates the serious legal consequences facing individuals involved in major cyber crimes, especially those targeting critical infrastructure. For the security community, the incident is a case study in the tangible impact of cyber attacks on large public sector organizations, affecting both service delivery and finances. It reinforces the need for comprehensive defense-in-depth strategies, international cooperation, and continued investment in cybersecurity resilience for essential services.
References
- “Two teenagers charged over Transport for London cyber attack,” BBC News, Sep. 18, 2025. [Online]. Available: https://www.bbc.com/news
- A. Scroxton, “Teen hackers charged over Scattered Spider attack on TfL,” Computer Weekly, Sep. 18, 2025. [Online]. Available: https://www.computerweekly.com/news
- A. Martin, “Two teenage suspected Scattered Spider members charged in UK over TfL hack,” The Record, Sep. 18, 2025. [Online]. Available: https://therecord.media/scattered-spider-teens-charged-tfl-hack
- “UK charges two teens over Transport for London cyberattack,” The Register, Sep. 18, 2025. [Online]. Available: https://www.theregister.com/2025/09/18/teens_charged_tfl_cyberattack/
- “Two teenagers charged with major TfL cyberattack,” The Times, Sep. 18, 2025. [Online]. Available: https://www.thetimes.co.uk/article/teens-charged-tfl-cyberattack
- “Two teenagers charged over Transport for London cyber attack,” Yahoo News UK, Sep. 18, 2025. [Online]. Available: https://uk.news.yahoo.com/teens-charged-tfl-cyber-attack
