Trust under attack: Best infosec long reads 7/11/26

Inside the TfL hack, The cyber war game nobody wants to play, AI's toughest test case, When anti-piracy breaks the internet, The protocol that changed the internet, Why prompt injection won't go away

Share
Trust under attack: Best infosec long reads 7/11/26
Image by Kev from Pixabay

Happy Saturday to all!

Full access to Metacurity's curated infosec long reads is available to paid subscribers. Our goal is simple: make it financially viable to keep investing the time and expertise required to find, vet, and contextualize the most important security journalism each week. Free readers will still get highlights, but subscribers will get the complete, deeply curated set.

Please help support Metacurity in achieving our goal by upgrading your subscription to gain full access to this issue and all content published on Metacurity, including the archives.

7/11/26: This week's long reads examine the fragile trust relationships that underpin modern digital systems. From the alleged Scattered Spider attack that crippled TfL through a single compromised account to AI models that cannot distinguish legitimate instructions from malicious ones, the stories reveal a common truth: the hardest problems in cybersecurity are rarely technical alone.

The teenage millionaire hacker from Tower Hamlets who took down TfL

London Centric's Polly Smythe, Jim Waterson, and Cormac Kehoe paint a detailed portrait of how alleged Scattered Spider member Thalha Jubair became linked to the disruptive Transport for London cyberattack and the broader ecosystem of socially engineered intrusions.

It was by compromising the account of a single employee that Jubair was able to hack into TfL’s systems in late August 2024, catastrophically damaging the transport authority’s ability to manage its own systems. At an early court hearing last September, the prosecutor said that the “ultimate objective of the attack was to install ransomware”.
Although buses and tubes were kept running, one TfL executive described the behind-the-scenes situation to London Centric as “an utter shitshow”, with hundreds of thousands of holders of discount travel cards affected.
The booking system for the Dial-a-Ride buses used by people with disabilities was shut down, and data on live tube times for apps such as TfL Go and Citymapper was taken offline.
Hundreds of thousands of Londoners were overcharged for using the network, and many of the capital’s teenagers were unable to access free travel, leaving some without the means to get to work or college. Sadiq Khan later told London Centric that some passengers would never be refunded.
TfL commissioner Andy Lord described the incident as a “highly sophisticated” cyber attack that could have been much worse. Staff at TfL’s HQ were unable to log on to the IT network, WiFi was taken down, and office-based staff were sent to work from home for the whole of September. When they returned, every TfL staff member had to travel into the office to have their login details reset. City Hall had just outsourced its IT to TfL meaning everyone from the mayor downwards had their work systems affected. Projects ranging from the extension of the contactless payment scheme to commuter stations to the rebranding of the London Overground lines were delayed.
Flowers, the teenager from Walsall, was arrested soon after. But it took another year for Jubair, who was portrayed in US court documents as a mastermind of the group, to be charged. We now know that the incident, which cost TfL £39m, and in which 10 million people’s data was stolen, was in part orchestrated from the bedroom of Jubair’s east London flat.
Paul Foster, the head of the National Crime Agency’s cyber crime unit, said the “profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries”.

Read more