The transport operator’s online services were impacted and customers were unable to see some information boards because they went offline during the attack.
Data from TfL’s Oyster refunds system was accessed and the incident also affected TfL’s customer refund system, leaving some out of pocket for much longer than usual. It also closed down the application system for Oyster photocards for children and young people.
TfL wrote to thousands of customers to tell them about the unauthorised access to some personal information.
Investigators from the National Crime Agency (NCA) said they believed the “network intrusion” in summer 2024 was carried out by the online criminal group known as Scattered Spider.
The group has been linked to other cyber attacks on Jaguar Land Rover and retailers including Marks and Spencer.
Following the guilty pleas, the NCA said both men were had been arrested at their home addresses on 16 September 2024 as part of a joint investigation with the City of London Police.
The agency said investigators seized laptops, desktop computers, hard drives and USB devices from Flowers’ home.
One laptop contained a screenshot showing connectivity to TfL infrastructure, while videos found on the device appeared to show Jubair accessing TfL systems during the attack. The NCA said the pair communicated via Telegram and an online collaborative workspace.
Flowers was also found to have accessed an online tool selling breached credentials, according to investigators.
