News

How the Scattered Spider Attack Bypassed TfL’s Defences: Lessons for UK Businesses

by Rebecca Sutton
by Rebecca Sutton

When the Scattered Spider attack hit Transport for London in August 2024, it did not arrive through an unpatched server or a zero-day exploit. It came through a phone call. Two young men, now 20 and 18, convinced an IT helpdesk worker to let them in. Eighteen months later, both have pleaded guilty at Woolwich Crown Court. The breach cost TfL £29 million. The techniques they used are still in active use today.

How the Scattered Spider Attack Works

Thalha Jubair and Owen Flowers were both members of the Scattered Spider collective. They broke into TfL’s network between 31 August and 3 September 2024. Investigators found screen-recorded videos on a laptop at Flowers’ address. The videos showed Jubair accessing TfL systems in real time. Telegram logs captured their coordination during the attack itself.

The group’s core method is social engineering. Attackers call the IT helpdesk and claim to be an employee. They ask for a password reset or to register a new MFA device. Sometimes they send repeated push notifications until the real user gets frustrated and approves one. That is called push bombing. Another method is SIM swapping. The attacker convinces a mobile carrier to redirect the victim’s phone number to a SIM they control. Real-time phishing kits such as Evilginx can also capture a password and MFA token at the same time, before the victim knows anything is wrong.

Yet none of this requires exceptional skill. It requires patience, a convincing voice on the phone, and an organisation that has not thought carefully about its identity verification procedures.

What the TfL Breach Exposed

The attackers accessed TfL’s Oyster refund system. They also got into the application service for discounted photocards issued to children and young people. Around 5,000 customers had their bank account numbers and sort codes potentially exposed. Personal data for an estimated ten million passengers was swept up in the breach. That included names, email addresses, home addresses and phone numbers.

All 28,000 TfL employees had to attend a TfL office in person to reset their passwords. The process took weeks, so internal operations were disrupted throughout.

Four Controls That Would Have Helped

The Scattered Spider attack pattern always starts in the same place. The weak point is the process around identity verification and MFA management. Technology is rarely what fails first.

The first control is a strict helpdesk procedure for any account change or MFA reset. Staff should not be able to approve these over an unauthenticated phone call. A secondary confirmation through a verified channel, or a manager sign-off, adds a step that impersonation alone cannot bypass.

Second, phishing-resistant MFA is worth deploying on any critical system. FIDO2 hardware keys and device-bound passkeys cannot be relayed or captured by a phishing kit. Push notifications and SMS codes can. If your highest-risk systems still rely on either, that is a gap worth closing first.

Third, SIM-swap risk deserves attention if account recovery depends on a phone number. Carrier-level protections such as PIN locks add friction for an attacker. Removing SMS as a recovery option removes the risk entirely.

Fourth, audit what your helpdesk can do without extra authorisation. If a single agent can add a new authenticator to any account with no logging or oversight, that is a blind spot. Centralising those approvals with alerting attached is a straightforward change that closes it quickly.

Testing Whether Your Controls Actually Work

The only reliable way to know whether your process holds against a Scattered Spider attack is to test it. Social engineering assessments, sometimes called vishing tests, do exactly this. A tester calls your helpdesk posing as an employee and asks for a credential change. The test records whether the process holds under real pressure. Many organisations are surprised by what they find.

It is also worth checking your audit trail. Can you see which accounts had MFA devices added in the past 90 days? Do you get an alert when a new device is registered on a privileged account? If the answer to either question is no, those are gaps an attacker could exploit without detection.

The Scattered Spider attack on TfL shows what is at stake. A group with no advanced technical skills caused £29 million in damage and exposed data on millions of people. That outcome was not inevitable. Better helpdesk procedures and phishing-resistant authentication would have made the attack significantly harder, well before any arrest was possible. Meanwhile, both defendants face sentencing on 16 July 2026. The social engineering techniques they relied on are not going away.

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

ShapedPlugin Backdoor: What WordPress Site Owners Need to Check Right Now

CVE-2026-47729 Squidbleed: Is Your Proxy Leaking Passwords? How to Check and Fix It

Why the Gravity SMTP Vulnerability Should Change How You Think About Plugin Credentials

Is Your EDR Actually Running? How Ransomware Groups Disable It Before You Notice

FortiBleed Shows Patching Is Not Enough to Protect Your Fortinet VPN

What the NCSC’s 75% State Threat Figure Means for Your Business

Fortinet FortiSandbox Vulnerabilities: What IT Teams Need to Do Right Now

SearchLeak Shows Why Microsoft 365 Copilot Is Now Attackers’ Most Valuable Target

OptinMonster Backdoor: What to Check If Your WordPress Site Runs Awesome Motive Plugins

Apple M1 Vulnerability Research Was Lagging. MIT’s Fractal OS Changes That