- Two British hackers have been jailed for five and a half years over the £29 million cyberattack on Transport for London.
- Investigators said the pair gained the highest level of access to TfL's systems and could have caused far greater disruption.
- One of the hackers continued attempting cyberattacks from prison while awaiting sentencing.
Two British hackers who infiltrated Transport for London (TfL) and carried out a cyberattack that cost the transport authority £29 million ($39.16 million) to recover from have each been sentenced to five and a half years in prison.
Thalha Jubair, 20, and Owen Flowers, 18, admitted carrying out the TfL cyberattack between August 31 and September 3, 2024, after gaining deep access to the organisation's computer systems. Prosecutors said the pair worked for up to 16 hours a day during the attack, operating from their family homes in east London and the West Midlands.
How two teenagers got the 'keys to the kingdom'
The court heard the hackers managed to obtain what investigators described as the highest level of administrative access within TfL's network, effectively giving them what prosecutors called the "keys to the kingdom". At one stage, they could have locked staff out of the systems or shut down large parts of the network altogether.
That scenario was avoided only after TfL disconnected critical systems from its network, effectively pulling the plug before the attackers could do more damage. Although London's Tube and bus services continued operating, other services were affected. The Dial-a-Ride service for disabled passengers temporarily lost the ability to process bookings, while around 27,000 TfL employees had to reset their passwords.
The attack also exposed the personal information of millions of commuters. TfL later warned the breach had the potential to cause "catastrophic damage" and could have resulted in prolonged disruption across London's transport network.
Andy Lord, TfL's commissioner, reportedly described the incident as the most serious cyberattack he had dealt with during his career.
The financial impact was equally significant. The organisation spent around £29 million restoring systems and strengthening its cyber defences, with recovery work taking around six months.
Prosecutors said Jubair livestreamed the attack while Flowers watched remotely. Investigators later recovered the recording from Flowers' laptop, which became a key piece of evidence.
During the intrusion, the pair reportedly searched TfL's customer database for celebrity records and communicated throughout the operation using the Telegram messaging platform.
Links to Scattered Spider and a history of hacking
The hackers were teenagers when the attack took place, aged 18 and 17 respectively, but prosecutors told the court they were already highly experienced in cybercrime.
British authorities have previously linked the TfL breach to the loosely organised hacking community known as Scattered Spider, although prosecutors argued the name refers more to a pattern of behaviour than a formal organisation. The pair nevertheless acknowledged having links to individuals associated with the group, and investigators recovered messages in which they referred to "Scattered Spider" while carrying out the attack.
Flowers also admitted conspiring with others to hack two non-profit healthcare providers in the US only days after targeting TfL. Prosecutors said those attacks stopped only because he was arrested "literally caught in the act", as quoted in a news report.
The court also heard Flowers attempted further hacking activity even after being remanded in custody. Devices recovered from prison reportedly contained searches and attempted access to websites linked to the Crown Prosecution Service and the prison where he was being held.
Jubair already had a history of cybercrime. In 2023, he was convicted over the hacking and blackmail of chipmaker Nvidia as part of the Lapsus$ hacking group. He was also sentenced for stalking two young women, including attempting to "swat" one victim by making a false emergency report intended to send armed police to her home.
The pair had accumulated millions of dollars' worth of cryptocurrency through their hacking activities, investigators said.
Passing sentence at Woolwich Crown Court, Mr Justice Mark Turner said the offences appeared to be "primarily motivated by selfish bravado", as quoted in a news report. The National Crime Agency said the convictions had effectively disrupted the criminal activity linked to the pair.








