Transport for London hackers jailed for five and a half years
![]()
The duo behind the major 2024 cyberattack are reported to have been leading members of the Scattered Spider cybercrime collective.
Two men responsible for the 2024 cyberattack on Transport for London (TFL) have each been sentenced to five and a half years in prison by a UK court.
Owen Flowers and Thalha Jubair, who were teenagers at the time of the cyberattack, were sentenced today (16 July) at Woolwich Crown Court after previously pleading guilty to the hack. The pair were arrested and charged last year.
In late August and early September in 2024, Flowers and Jubair gained access to TFL customer data after impersonating an employee and tricking a phone helpdesk worker into resetting that employee’s password – leading to the theft of around 10m customers’ data.
The cyberattack – which cost TFL £29m – disrupted a number of transportation services in the UK’s capital, including a booking service that provides transport to vulnerable Londoners, while 148 technology systems were rendered inoperable.
In order to stop the attack, all 27,000 TFL employees were summoned to one of the authority’s offices for a password reset and its IT team disconnected its system from the internet.
Had the attack been successful in shutting down TFL’s entire network, it’s estimated that damages could’ve totalled up to £56bn.
According to the UK’s National Crime Agency, both Flowers and Jubair were leading members of cybercrime collective Scattered Spider, which has been linked to other major cyberattacks such as the Marks and Spencer hack.
As well as the TFL attack, Flowers also admitted to conspiring to launch cyberattacks on American nonprofit healthcare systems SSM Health and Sutter Health.
According to the Crown Prosecution Service (CPS), devices belonging to Flowers linked him to all three attacks, while information linking Jubair to the TFL cyberattack was reportedly found overseas.
During the trial – which began last month – the court heard that the duo livestreamed the TFL hack online. Telegram messages of Flowers and Jubair joking about the consequences of the cyberattacks were also uncovered and then used by the prosecution as evidence of the pair’s involvement.
According to the CPS, Flowers and Jubair are believed to be the first hackers to be successfully prosecuted under Section 3ZA of the UK’s Computer Misuse Act 1990.
“Flowers and Jubair broke into and accessed sensitive systems to extract information from millions of Oyster card-holders,” said Lionel Idan, chief crown prosecutor for SEOCID Regional and Wales Division in a press release.
“The evidence revealed not only the sophistication and persistence of their attack but also the recklessness of those responsible. Both defendants showed a staggering disregard for the consequences of their actions as their cyberattack led to TfL having to ‘pull the plug’ on their own network to protect it from wider disruption to the transport network.
“This successful prosecution was a perfect example of collaboration with investigators, prosecutors and international partners working together to build a watertight case that left Jubair and Flowers with little choice but admit their crimes.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.