Two UK teenagers have pleaded guilty to the 2024 cyberattack that shut down Transport for London's network for three days and exposed the personal data of roughly 10 million passengers. Thalha Jubair, 20, of Bow in east London, and Owen Flowers, 18, of Walsall, admitted at Woolwich Crown Court on 22 June 2026 to conspiring to commit unauthorised acts against TfL's computer systems, according to the National Crime Agency. They changed their pleas on what was set to be the first day of a six-week trial. The incident cost TfL £39M and ranks among the largest data thefts in British history.
What Happened
In 2024, attackers compromised TfL's computer systems, forcing the transport authority offline for three days. The operational disruption was only the visible half of the damage. Behind it sat a far larger problem: the theft of personal records belonging to around 10 million people who use London's transport network.
The £39M figure widely quoted is TfL's own remediation bill. It covers recovery work, external cybersecurity support, and the reset of passwords for all 28,000 staff members. Note the discrepancy in public reporting: the NCA's release still cites an earlier £29M estimate, while £39M is the later and fuller total. If you see both numbers, £39M is the current one.
Both defendants have been diagnosed with autism, and Jubair also suffers from depression and a severe mood disorder, the court heard. Paul Foster, head of the NCA's National Cyber Crime Unit, pointed to offenders like these as evidence of the growing cybercrime threat from UK-based actors, a category that includes groups such as Scattered Spider.
What Was Taken
For most affected people, the stolen data consisted of names, email addresses, home addresses, and phone numbers. TfL confirmed that around 7.1 million customers with a registered email were alerted to the breach.
A smaller group fared worse. Roughly 5,000 customers had their Oyster refund data potentially accessed, which could include bank account numbers and sort codes. That subset is the most immediately exploitable, because it pairs identity with direct financial detail.
The person who handed over the database said they were not aware of it being used for secondary attacks yet. That word "yet" is the operative concern. As one cybersecurity expert noted, 10 million records is a treasure trove that is never deleted, and the data will likely resurface in scams for years.
Why It Matters
Stolen contact details are the raw material for fraud. A criminal armed with your name, your phone number, and the knowledge that you use TfL can craft a convincing message about a refund you are supposedly owed. Specificity is what makes social engineering work, and a breach like this hands attackers exactly that.
The fraud economy backing this is large and growing. Criminals stole £1.28 billion through payment fraud in the UK in 2025, up 4% on the previous year. Authorised push payment fraud, the category most directly fed by targeted scam messaging, jumped 19% to £576.4 million, the highest level since 2021.
The deeper problem is attribution. No one can prove that a given scam text traces back to the TfL breach. Once personal details enter the criminal economy, they are bundled, resold, and reused, and the line back to the original theft disappears. Victims absorb the cost while the breach that enabled it stays invisible.
The Attack Technique
Court and NCA disclosures so far focus on the charge, conspiring to commit unauthorised acts against TfL's systems, rather than a full technical account of intrusion methods. The publicly confirmed outcomes are a three-day operational shutdown and the exfiltration of roughly 10 million personal records, including a 5,000-record subset of Oyster refund banking data.
The NCA's framing of the offenders alongside groups like Scattered Spider is notable. That cohort is known for social engineering, help-desk and identity-based access, and credential abuse rather than purely technical exploitation. The mandated password reset for all 28,000 TfL staff is consistent with an incident in which credential and account access were a central concern. Organisations should treat identity compromise as a plausible vector pending a fuller technical breakdown.
What Organizations Should Do
- Harden identity and access. Enforce phishing-resistant multi-factor authentication, restrict help-desk password and MFA reset workflows, and require strong verification before any account recovery action.
- Plan for mass credential reset. The TfL response required resetting passwords for 28,000 staff. Build and rehearse the capability to rotate credentials at scale before an incident forces it.
- Minimise and segment sensitive data. Keep financial details such as bank account and sort code information isolated, encrypted, and accessible only to systems that genuinely need it, limiting the blast radius of any single breach.
- Prepare breach notification in advance. TfL alerted 7.1 million customers. Have templated, accurate notification processes ready so affected people can act quickly to protect themselves.
- Brief customers on follow-on fraud. Warn users that stolen contact data fuels targeted scam texts and authorised push payment fraud, and tell them your organisation will never request payment or banking details by unsolicited message.
- Monitor for leaked data and downstream abuse. Track criminal marketplaces and paste sites for your records, and watch for spikes in account takeover or refund-themed phishing that signal the data is being weaponised.