Transport for London 2024 intrusion — Scattered Spider members plead guilty

Thalha Jubair (20) and Owen Flowers (18) changed their pleas to guilty at Woolwich Crown Court on 2026-06-22, both admitting conspiracy to commit unauthorised acts against Transport for London under the Computer Misuse Act (UK National Crime Agency, 2026-06-22; ITV News, 2026-06-22). The 31 August – 3 September 2024 intrusion disrupted TfL services for three months, forced in-person password resets for all 28,000 staff, and affected roughly 10 million customers including Oyster systems, at a cost the NCA puts at £29M in loss and recovery (ITV and the BBC reported £39M — see § 7). Flowers additionally admitted attempted intrusions against US healthcare providers Sutter Health and SSM Health; the NCA ties both defendants to the Scattered Spider collective (UNC3944 / Storm-0875), and sentencing is set for 16 July 2026 (Yahoo/BBC, 2026-06-22).

Defender takeaway: The TfL breach is the canonical Scattered Spider playbook — social-engineering the IT help desk, SIM-swap / MFA-fatigue to defeat second factors, then lateral movement — and none of it turned on a software vulnerability (T1566 Phishing, T1078 Valid Accounts, T1621 Multi-Factor Authentication Request Generation). For EU/CH public-sector operators the durable control is help-desk procedure: require out-of-band secondary verification before any MFA-device reset or password reset on privileged accounts, and alert when a single account generates a burst of MFA push rejections immediately followed by a successful logon. The guilty pleas are a reminder the collective remains active against public-sector and healthcare targets.

The window's standout transport-sector event was destructive, not extortive. Gambit Security attributed the LACMTA (Los Angeles Metro) breach to Iran's MOIS operating behind the "Ababil of Minab" hacktivist front, with ~700 GB exfiltrated and backups and virtual machines deliberately destroyed (2026-05-28). The relevance for European public-transit and public-sector defenders is the recovery-planning implication: where the adversary's objective is destruction rather than ransom, restoration assumes offline / immutable backups and rebuild-from-known-good capacity — controls that an extortion-only threat model under-provisions. The "hacktivist front for state destruction" pattern also complicates attribution and the public-comms response.

Eurail began issuing breach notifications to 308,777 customers in late April 2026, three months after the December 2025 incident in which an attacker accessed personal data including passport numbers, IBANs, and DiscoverEU pass details. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach; the regulatory review focuses on that compliance gap (daily 2026-05-08). The exposed dataset covers EU member-state travellers who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected.