What Happened
Two members of the Scattered Spider cybercrime group pleaded guilty on June 23, 2026 — the first day of their trial — to charges under the UK Computer Misuse Act. Thalha Jubair, 20, from London, and Owen Flowers, 18, from Walsall, admitted to breaching Transport for London’s computer network between August 31 and September 3, 2024. The attack disrupted TfL’s Oyster refund system and online services, caused £39 million in losses and recovery costs, and exposed passenger data. Sentencing is set for July 16, 2026.
Scattered Spider is a loosely organized network of predominantly English-speaking cybercriminals known for sophisticated social engineering, SIM swapping, and identity-based attacks targeting major companies in aviation, insurance, retail, and critical services. The group gained notoriety for breaches of MGM Resorts and Caesars Entertainment in 2023, and has since expanded its targeting across sectors in the United States, United Kingdom, and Canada.
Why This Matters for Canadian Organizations
Scattered Spider’s techniques are directly relevant to Canadian organizations. The group’s hallmark attack method — phone-based social engineering against IT help desks and identity providers — works against any organization where employees can request password resets or MFA bypass through a call centre. Major Canadian banks, telecoms, retailers, and government service providers all operate the kind of help desk infrastructure Scattered Spider exploits.
The guilty pleas are notable for demonstrating that English-speaking cybercrime groups operating in NATO countries are not beyond reach of prosecution — a message with particular significance given Scattered Spider’s documented activity against Canadian targets. However, the group’s decentralized structure means these two arrests represent a fraction of its operational membership. Canadian security teams should not interpret this week’s conviction as the end of the threat.
The prosecution also highlights a tactic Canadian organizations often underestimate: vishing — voice-based phishing against IT staff. Both Jubair and Flowers used social engineering rather than technical exploits as their primary entry vector. Under PIPEDA, organizations have an obligation to implement safeguards appropriate to the sensitivity of the data they hold; that obligation extends to human-layer controls like identity verification protocols for help desk calls, not just technical security tools.
What to Do
Review your IT help desk identity verification procedures. Enforce a strict callback protocol for any request to reset passwords or disable MFA, verifying the caller’s identity through a second channel — such as a manager confirmation or a call to a number on record — rather than accepting caller ID or employee-provided information at face value. Train help desk staff specifically on vishing scenarios and empower them to refuse or escalate requests that feel off. Audit logs for any anomalous MFA bypass or password reset requests, particularly for administrative accounts. If your organization uses Okta, Azure AD, or Ping Identity for identity management, review your provider’s guidance on social engineering-resistant authentication policies.
Source: Krebs on Security | BleepingComputer
