therecord.media
Alexander Martin
November 21st, 2025
Two U.K. teenagers pleaded not guilty to hacking the Transport for London agency in 2024 — an attack attributed to the Scattered Spider cybercrime group.
Two British teenagers charged with Computer Misuse Act offenses over a cyberattack on Transport for London (TfL) last year pleaded not guilty during a court appearance on Friday.
Thalha Jubair, 19, and Owen Flowers, 18, were arrested at their homes in East London and Walsall, respectively, by officers from the National Crime Agency (NCA) in September. They appeared at London's Southwark Crown Court on Friday to enter their pleas.
Flowers had initially been arrested over the transit agency attack in September 2024, but released on bail. Both men were remanded into custody following the most recent arrest.
The NCA said following Flowers’ arrest in 2024 that its officers discovered additional potential evidence that the suspect had been involved in attacks against U.S. healthcare companies.
Alongside the TfL incident, Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health in the United States. He pleaded not guilty to these charges too.
Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The Crown Prosecution Service (CPS) did not immediately respond to explain the current status of this charge.
The U.S. Department of Justice also unsealed a complaint against Jubair in September, accusing him of computer crimes.
The specific charges against both men are among the most severe in English law for cyber offenses, specifically “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.
At the time of their arrest, Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”
It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.
“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.
Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”
The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.
Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.
theregister.com
Jessica Lyons
Thu 20 Nov 202
They keep coming back for more
Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.
This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.
“This activity is likely related to UNC6240 (aka ShinyHunters),” Google Threat Intelligence Group’s principal analyst Austin Larsen told The Register, adding that the threat hunters are “aware of more than 200 potentially affected Salesforce instances.”
"Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday.
Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.
This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.
“This activity is likely related to UNC6240 (aka ShinyHunters),” Google Threat Intelligence Group’s principal analyst Austin Larsen told The Register, adding that the threat hunters are “aware of more than 200 potentially affected Salesforce instances.”
"Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday.
"Per our update, upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues," Salesforce spokesperson Allen Tsai told The Register.
Tsai declined to answer specific questions about the breach, including how many customers were compromised - the company has notified those affected, he said - and who is behind the latest theft of Salesforce customers' data.
"There is no indication that this issue resulted from any vulnerability in the Salesforce platform," Tsai said. "The activity appears to be related to the app's external connection to Salesforce."
Gainsight did not immediately respond to The Register's request for comment.
While Salesforce isn't pointing the finger at a particular threat group, Larsen attributed the activity to ShinyHunters. This is the same criminal crew that breached SalesLoft's Drift application earlier this year and stole a bunch of companies' OAuth tokens, which allowed them access to numerous orgs' Salesforce instances.
"Our team at Google Threat Intelligence Group (GTIG) has observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances," Larsen said in a LinkedIn post on Thursday.
Google's Mandiant incident response team is working with Salesforce to notify potentially affected organizations, Larsen added, and urged all companies to "view this as a signal to audit their SaaS environments," including conducting regular reviews of all third-party applications connected to their Salesforce instances.
Companies should also "investigate and revoke tokens for unused or suspicious applications," and, upon detecting any anomalous activity, "rotate the credentials immediately," he wrote.
