British authorities announced on Thursday that they had arrested a 17-year-old male in connection with a cyber attack that affected Transport for London (TfL).
The UK National Crime Agency (NCA) said: “A 17-year-old male has been detained on suspicion of offences under the Computer Misuse Act in connection with the attack on Transport for London on September 1st.”
The teenager, from Walsall, was allegedly arrested on September 5, 2024, following an investigation which was launched following the incident.
Law enforcement said the person, whose name has not been released, was questioned and has since been released on bail.
“Attacks such as this one on public infrastructure can cause significant disruption and have serious consequences for local communities and national systems,” said Deputy Commissioner Paul Foster, head of the NCA’s National Cyber Crime Unit.
“TfL’s swift response following the incident enabled us to act quickly and we’d like to thank TfL for their continued cooperation with their ongoing investigation.”
TfL later confirmed that the security breach had resulted in unauthorized access to bank account numbers and branch codes for around 5,000 customers, and said it would be contacting those affected directly.
TfL said: “There has so far been little impact to customers, but the situation is evolving and following our investigation we have determined that certain customer data has been accessed.”
“This includes the customer’s name and contact details, email address and home address (if provided).”
It is also worth noting that West Midlands Police arrested a 17-year-old boy, also from Walsall, in connection with a ransomware attack on MGM Resorts in July 2024, which was blamed on the notorious Scattered Spider group.
It is not clear at this time whether the two cases refer to the same person. In June, another 22-year-old British man was arrested in Spain for his alleged involvement in multiple ransomware attacks perpetrated by Scattered Spider.
This dangerous e-crime group is part of a larger collective known as The Com, a loosely-knit ecosystem of different groups involved in cybercrime, squatting and physical violence. The group is also tracked as 0ktapus, Octo Tempest and UNC3944.
According to a new report from EclecticIQ, Scattered Spider ransomware attacks are increasingly targeting cloud infrastructure within the insurance and financial sectors, coinciding with a similar analysis from Resilience Threat Intelligence in May 2024.
The group has a well-documented history of gaining persistent access to cloud environments through sophisticated social engineering tactics, as well as purchasing stolen credentials, performing SIM swaps, and leveraging cloud-native tools.
“Scattered Spider primarily targets IT service desks and identity administrators, frequently using phone-based social engineering techniques such as voice phishing (vishing) and text message phishing (smishing) to deceive and manipulate their victims,” said security researcher Arda Büyükkaya.
“Cybercriminal groups are abusing legitimate cloud tools such as Azure’s special management console and Data Factory to execute commands remotely, transfer data, and maintain persistence while evading detection.”
