HOME /
WORLD
Two to stand trial for London transport cyberattack
AFP
1782108174000

Two men go on trial Monday accused of perpetrating a 2024 cyberattack on London's public transport operator that leaked millions of customers' personal information, in one of Britain's biggest data breaches.

A man walks past a sign for the London Underground in Westminster in central London on April 21, 2026. (File photo: AFP)

Defendants Thalha Jubair, 20, from east London and 18-year-old Owen Flowers from England's West Midlands, pleaded not guilty in November after their arrests in September.

The British pair, who have been remanded in custody, were charged after an investigation by the National Crime Agency.

It had linked the attack to the online criminal collective Scattered Spider, believed to be behind cyberattacks on British retail chains Marks & Spencer and the Co-op.

The men have been charged with conspiring to commit unauthorised acts related to computers, causing or risking serious damage to human welfare or national security.

The trial at Woolwich Crown Court in southeast London is expected to take four to six weeks.

According to the indictment, Transport for London (TfL) was subject to a network intrusion between August 29 and September 6, 2024.

The attack, discovered on September 1 2024, did not affect transport on its networks but caused three months of disruption to TfL's online services, resulting in a 39-million-pound ($52-million) loss to the organisation.

The hackers accessed customers' names, contacts and payment information, including banking details.

The BBC reported in March that about 10 million people had their data stolen, making it one of Britain's largest breaches, based on information from an anonymous source who obtained a copy of TfL's database.

TfL handles up to five million passenger journeys a day on the London Underground alone.

The organisation said it e-mailed more than seven million customers in September 2024 "to inform them about the incident" and tell them that "some customer data may have been taken".

The men had their pre-trial detention extended in February, when Jubair was accused of deleting messages he had been ordered to keep and having access to significant amounts of cryptocurrency.

He was also said to have told his mother he wanted to take revenge for his arrest.

Jubair faces an additional charge for refusing to disclose PIN codes or passwords for his devices.

Flowers is also charged with two counts of conspiring with others to hack into two US-based organisations, Sutter Health and SSM Health Care Corporation.

Both men pleaded not guilty to all counts.

Cyber gangs have increasingly targeted UK brands and retailers, with attacks last year also on carmaker Jaguar Land Rover.