Back to Knowledge Vault

Scattered Spider Guilty Pleas: What the TfL Hack Confirms About Offline Recovery

Two Scattered Spider members have admitted the £39m TfL hack. Mark Fermor on identity blast radius and why offline recovery is the deciding layer.

I read this in The Times this morning. Two members of the loose hacking crew known as Scattered Spider have admitted the August 2024 attack on Transport for London. The cost has now passed £39 million, and the case is a clean illustration of how a single identity compromise reaches every system that depends on it. Reporting by Ali Mitib, The Times, 22 June 2026.

Key takeaways

• Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty at Woolwich Crown Court to the Computer Misuse Act offences behind the TfL hack. Sentencing is set for 15 July.
• The 31 August 2024 intrusion exposed names, home addresses, contact details, bank account numbers and Oyster sort codes for around 5,000 customers, and forced all 27,000 TfL staff to recertify their credentials in person.
• The same crew is linked by police to the 2026 attacks on Marks and Spencer, Co-op and Harrods. Flowers also admitted breaches of SSM Health and Sutter Health in the United States.
• When identity is the blast radius, online backups inherit the compromise. Offline, controlled-access copies are what decides recovery.

Two men accused of belonging to the cybercrime collective known as Scattered Spider have pleaded guilty to the 2024 attack that paralysed Transport for London, in a case The Times reports has now cost the operator more than £39 million.

Thalha Jubair, 20, of east London, and Owen Flowers, 18, of Walsall in the West Midlands, admitted conspiring to commit unauthorised acts under the Computer Misuse Act before the opening of their trial at Woolwich Crown Court. They will be sentenced on 15 July.

What actually happened to TfL

The intrusion on 31 August 2024 forced TfL to suspend a range of services across the capital. According to The Times, personal information for about 5,000 customers was exposed, including names, home addresses, contact details, bank account numbers and the sort codes linked to Oyster travel cards.

Major transport services kept running, but the operational fallout was significant. Passengers could not access their Oyster accounts online. Third-party services such as Citymapper went dark. The Dial-a-Ride service for disabled passengers was briefly suspended. Every one of TfL'''s 27,000 staff had to attend head office to recertify credentials and reset passwords.

That last detail is the one that should hold the attention of any board reading this. The recovery cost was not paid in ransom. It was paid in identity rebuild.

Why Scattered Spider keeps winning

Scattered Spider is the industry label for a loose group of English-speaking attackers who combine social engineering with off-the-shelf tooling to compromise large enterprises. Police have linked the same crew to this year'''s incidents at Marks and Spencer, Co-op and Harrods. Flowers also pleaded guilty to hacks against SSM Health Care Corporation and Sutter Health, two United States healthcare systems.

The pattern is consistent. The attackers do not break encryption. They convince a help desk, capture a session, and walk through the front door of identity. From there, they reach the systems an authenticated user can reach, including the backup platforms.

The Firevault view

The TfL case is not a story about a clever exploit. It is a story about what stays reachable once a privileged session is compromised. Three points stand out from our position.

First, identity is the blast radius. The moment a domain account is taken, every system that trusts that account becomes part of the incident. That includes the backup console, the snapshot scheduler, the immutability flags and the API keys that protect them.

Second, online backups inherit the compromise. A copy that sits behind the same directory as the production system is not a recovery copy. It is a second target. The attacker does not need to break it, they only need the credential that already governs it.

Third, recovery time is decided before the attack, not during it. The organisations that recover fastest are the ones that hold a physically disconnected, controlled-access copy of the systems and data that matter most. Nothing reachable from a stolen session can be encrypted, exfiltrated or quietly deleted.

This is the design principle behind Firevault Offline Secure Storage. The golden copy lives at Layer 1, behind a deliberate human authorisation step. The directory cannot reach it. The attacker cannot phish it. The help desk cannot release it by mistake.

For boards, the practical posture is simple. Assume the credential is already lost. Rehearse recovery from a copy the attacker cannot see. Read our briefing on recovery independence for the questions to put to your IT and security leadership this quarter.

— Mark Fermor, Director and Co-Founder, Firevault

Source

Ali Mitib, Cybercriminals admit hack that paralysed TfL systems, The Times, 22 June 2026.

Share this article