Two hooded young men sit in a dark
NCA warns of growing cybercrime threat from UK-based offenders like Scattered Spider. (Image is AI-generated) (IBTimes UK)

Two teenagers have admitted to carrying out the cyber attack that shut down London's transport network for three days in 2024 and cost Transport for London £39M. But the 10 million passengers whose personal details now circulate among criminals are the ones still paying for it.

Thalha Jubair, 20, from Bow in east London, and Owen Flowers, 18, from Walsall, pleaded guilty at Woolwich Crown Court on 22 June 2026 to conspiring to commit unauthorised acts against TfL's computer systems. They changed their pleas on what was to be the first day of a six-week trial, according to the National Crime Agency.

The £39M Headline Hides a Bill You Might Pay

The £39M is TfL's own bill: recovery, external cybersecurity support, and resetting passwords for all 28,000 staff. The NCA's release still cites an earlier £29M estimate, so if you see both, £39M is the later, fuller total.

But that is TfL's money. The figure that should worry the rest of us is 10 million, which is roughly the number of people whose personal data was stolen from TfL's systems. It ranks among the largest data thefts in British history.

Public transport disability
Transport for London hackers plead guilty, but 10 million passengers' data remains exposed. iStock

What the Hackers Walked Away With

For most people, the haul was names, email addresses, home addresses, and phone numbers. Around 7.1 million customers with a registered email were alerted, as confirmed by TfL. About 5,000 had it worse: their Oyster refund data may have been accessed, which could include bank account numbers and sort codes.

The person who handed over the database said they were not aware of it being used for secondary attacks yet. A cybersecurity expert noted that 10 million records is a treasure trove that is never deleted, and the data will likely be reused in scams for years.

Why This Lands on Your Phone as a Scam Text

Stolen contact details are the raw material for fraud. A criminal who knows your name, your number, and that you use TfL can send a convincing message about a refund you are owed, and specific lies work.

Criminals stole £1.28 billion through payment fraud in the UK in 2025, up 4% on the year before. Authorised push payment fraud jumped 19% to £576.4 million, the highest since 2021.

No one can prove a given scam text traces back to the TfL breach. That is the problem. Once your details enter the criminal economy, they are bundled, resold, and reused, and the line back to the theft disappears.

The Young Men Behind It

Both defendants have been diagnosed with autism, and Jubair also suffers from depression and a severe mood disorder, the court heard. Paul Foster, head of the NCA's National Cyber Crime Unit, said offenders like these show the growing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider.

The court was told that $10M (about £7.4m) moved from Jubair's crypto wallets after his release in March 2025, and $200M (around £148M) had passed through accounts linked to him. Jubair already carries convictions for 22 offences. Scattered Spider is a loose, mostly English-speaking collective linked to attacks on Jaguar Land Rover and Marks and Spencer.

What to Do If You Used TfL in 2024

If you had a TfL online account around late August 2024, assume your contact details are out there. Never move money or hand over a code because a message told you to, however urgent. Banks and TfL do not work that way. Check whether your email appears in known breaches, and change any password you reused elsewhere.

Flowers and Jubair will be sentenced on 15 July 2026. The data they took will still be circulating long after they walk free. For most people, that is the real verdict.

Writer's pick