£29 million and 27,000 in-person password resets: the TfL hack's bill came due
On July 16, 2026, Woolwich Crown Court sentenced Owen Flowers, 18, and Thalha Jubair, 20, to five and a half years each for the 2024 attack on Transport for London. The UK's National Crime Agency describes both as leading members of Scattered Spider — the extortion crew also tracked as Octo Tempest, UNC3944 and 0ktapus, the same scene credited with the MGM Resorts attack in 2023 and the wave against UK retailers in 2025. Flowers additionally admitted charges over attacks on US healthcare organizations.
The numbers from the case are worth sitting with. The intrusion ran from August 31 to September 3, 2024 — four days. It left 148 TfL systems inoperable, and the NCA and CPS put losses and recovery at £29 million. And it produced one of the most striking logistics operations in incident-response history: all 27,000 TfL employees were required to show up in person to have their passwords reset and identities verified, one by one.
The attack chain had no exploit in it
According to the case reporting, the pair bought partial TfL credentials on criminal forums, used them to reset the two-factor authentication on employee accounts, then impersonated an employee and talked a help-desk worker into resetting an account password. That's the entire entry chain: bought secrets, a weak reset flow, and one persuasive phone call. No zero-day, no malware innovation — the same three moves Scattered Spider has used against casinos, retailers and insurers for years.
Two people barely out of school, working from bedrooms, took 148 systems away from one of the world's largest transport authorities. The asymmetry isn't a talent story; it's a structure story. Credential-based attacks scale down to two teenagers because the defenses that stop them — phishing-resistant MFA, hardened reset procedures, credentials that can't be bought because they expire — weren't there.
Why recovery cost more than the attack
The in-person reset marathon is the detail that should stick. Once an identity system is compromised, every remote channel you'd normally use to re-issue credentials — email, SMS, the help desk itself — is potentially in the attacker's hands. TfL's answer was the only fully trustworthy channel left: physical presence, 27,000 times. That is what "re-establishing trust in credentials at scale" actually looks like when you have no pre-established secure channel for distributing new secrets.
Most organizations never budget for this. The cost of a credential compromise isn't the ransom you didn't pay — it's rebuilding the entire chain of trust afterwards, credential by credential, human by human.
What to change before it's your help desk
- Treat the help desk as your perimeter. Password and MFA resets are the highest-privilege operation in the company. Require verification that can't be socially engineered — callbacks to known numbers, manager confirmation, or in-person/video checks for privileged accounts.
- Make bought credentials worthless. The entry point was partial credentials purchased on a forum — meaning they'd leaked long before and still worked. Short-lived sessions, phishing-resistant MFA (passkeys/FIDO2, not SMS or push), and monitoring for credential-stuffing patterns turn stale loot into junk.
- Have a secure redistribution channel before you need it. The question "how do we get new credentials to thousands of people when email is untrusted?" has exactly two answers: physical presence (£29M edition), or a pre-agreed out-of-band channel where each new secret expires, can be read once, and confirms delivery. Deciding this during the incident is what makes it expensive.
- Rehearse the reset day. Tabletop the scenario where your identity provider itself is suspect. Who re-issues what, over which channel, verified how? TfL improvised it under pressure with the whole city watching.
The takeaway
The sentencing closes the legal chapter, but the economics are the lesson: the attackers spent close to nothing, and the defenders spent £29 million — most of it on the unglamorous work of making 27,000 identities trustworthy again. Every credential that leaks and keeps working, every reset flow that trusts a voice on the phone, is a prepayment on that bill. Credentials should expire, resets should be hard to fake, and the channel for handing someone a new secret should exist before the morning you need 27,000 of them.
