Two young men accused of orchestrating a multimillion-pound cyber assault on Transport for London (TfL) have appeared in court, as investigators warn the wider insurance and financial services sectors are firmly in the crosshairs of the same hacking collective.
At Westminster magistrates court, Thalha Jubair, 19, of east London, and Owen Flowers, 18, of Walsall, were charged with conspiring to commit unauthorised acts under the Computer Misuse Act. Prosecutors allege the pair were part of a plot that inflicted losses of £39 million on TfL, though the capital’s transport services themselves were not halted.
The Guardian reported that Flowers faces additional counts linked to cyber intrusions against US health providers SSM Health Care and Sutter Health, while Jubair stands accused of refusing to provide passwords for devices seized during the investigation.
Read more: Ransomware attacks fewer but costlier
Both men were arrested earlier this week in coordinated raids by the National Crime Agency (NCA) and City of London police. Paul Foster, head of the NCA’s national cybercrime unit, told the newspaper: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”
The two defendants are suspected of belonging to Scattered Spider, a group also known as UNC3944, which has become notorious for its aggressive campaigns against large corporations. According to Google’s Threat Intelligence Group, the gang has moved beyond retail and casinos into insurance and financial services, exploiting customer-service helpdesks and call centres to trick staff into granting access.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert,” warned John Hultquist, Google’s chief cyber analyst, in comments reported by Insurance Business. His team has linked the group to recent intrusions at US insurers Erie Insurance and Philadelphia Insurance, both of which have been forced into partial shutdowns and are now managing class action risks and regulatory scrutiny.
The arrests come at a delicate moment for insurers already grappling with systemic cyber exposures. The Marks & Spencer breach earlier this year – widely attributed to the same collective – has triggered what may be a record £100 million cyber insurance claim. Allianz, Beazley and other carriers are expected to absorb significant portions of that loss.
With only a fraction of UK corporates carrying dedicated cyber cover, analysts argue the TfL case underlines both the fragility of critical infrastructure and the scale of latent risk in the economy. A coordinated campaign, if sustained, could translate into substantial aggregation losses across multiple insureds.
The Scattered Spider arrests highlight a growing reality for boards and risk managers: cyber criminals are no longer opportunists but sector-specialists. From London’s transport authority to US health networks, retailers, and now insurance carriers, their reach is both international and deliberate.
The NCA has pledged continued cooperation with the FBI and other overseas partners. “The NCA, UK policing and our international partners… are collectively committed to identifying offenders within these networks and ensuring they face justice,” Foster said.
For insurers, the industry is no longer just an underwriter of cyber risk; it is now a direct target.
