Full story
TfL hack, then jail
Two young hackers, Thalha Jubair, 20, and Owen Flowers, 18, were jailed for a 2024 cyberattack on Transport for London (TfL) that forced the organisation to “pull the plug” on its own systems.
“Teen hackers who live streamed cyber-attack on TfL jailed Two men who carried out a cyber-attack which crippled Transport For London (TfL) when they were teenagers have both been sentenced to five years and six months in prison”
The Independent says the “multi-day intrusion” ran between 31 August and 3 September 2024 and that it resulted in all of TfL’s more than 27,000 employees being forced to attend an office in person to reset their passwords.

At Woolwich Crown Court, The Independent reports that Jubair and Flowers were each jailed for five years and six months, after the prosecution said they could have shut out and shut down TfL completely.
The BBC adds that the men were sentenced to five years and six months in prison after a 16 hour long cyber-attack that they livestreamed online as part of the cyber crime collective known as Scattered Spider.
The BBC also places the start of the hack at 1700 on 31 August, when Flowers and Jubair gained access to TfL’s database of people with Oyster cards.
Court heard motives
In sentencing remarks reported by The Independent, Mark Fenhalls KC told the court that the hackers “could have shut out and shut down TfL completely” given that they eventually obtained the “highest privileged access” within the system.
The Independent says the prosecution described the pair as “utterly reckless about the consequences” and that they worked through the night for 16 hours to access TfL systems after tricking the helpdesk into resetting a password for them.
The BBC reports that Judge Mr Justice Turner cited their young age and autism diagnoses as mitigating factors, while also describing the attack as part of a spree that started on a Saturday night to maximise their chances of not being discovered by staff.
The BBC also says the TfL hack saw the data of millions of customers stolen after Jubair and Flowers gained access by tricking a phone help desk worker to reset the password of an employee they were impersonating.
In the same BBC account, Flowers later joked, “Scattered Spider is creating webs on the London Underground,” as the court heard the pair searched the list for personal details of London celebrities before attempting to access banking details.
Costs, disruption, and risk
TfL estimated the attack cost the organisation around £29 million in damages and a further £10 million in lost income, and Euronews reports that the court heard the breach did not disrupt transport services but left parts of TfL’s systems offline for three months.
“TfL, which had to reset the passwords of around 27,000 employees, estimated the attack cost the organisation around £29 million (€34 million) in damages and a further £10 million (€11”
Euronews also says Judge Mark Turner stated that the pair’s actions caused “very serious” disruption and were motivated primarily by “selfish bravado,” while the City of London Police wrote on X that the attack cost tens of millions of pounds in losses and impacted thousands of customers.
The Independent reports that data from the Oyster refund system was accessed, contactless systems were delayed, and applications for Oyster photocards for children and young people were closed down.
The NCA said the attack forced all 27,000 of TfL’s employees to attend a TfL office for a password reset and that a total of 148 systems became inoperable, including critical ones requiring significant manual workarounds and delays.
The NCA also warned that had the attack succeeded in shutting down the transport network the estimated cost to the UK economy could have been up to £56 billion, and it said the convictions effectively halted Scattered Spider’s criminal activity.



