
UK hackers jailed for London transport cyberattack that cost £29 million
Thalha Jubair, 20, and Owen Flowers, 18, were sentenced to five and a half years each for the August-September 2024 hack that forced Transport for London to pull the plug on its systems and exposed millions of commuters' data.
The attack
Between 31 August and 3 September 2024, Jubair and Flowers breached TfL's systems after an accomplice called the help desk impersonating an employee to reset login credentials. They escalated privileges to create a domain admin account, described in court as "the keys to the kingdom". The pair searched customer databases for celebrities, compromised refund systems, and shut down the Oyster photocard application portal for young people. TfL was forced to disconnect its systems to stop the intrusion.
The attack was the worst incident I have faced in my career.
- Hackers gain initial access to TfL systems via help desk social engineering.
- TfL disconnects systems to stop the attack after four days.
- Jubair and Flowers plead guilty to hacking TfL.
- Both sentenced to five and a half years in prison.
Fallout and costs
The direct financial loss reached £29 million, though some reports put the total at £39 million. All 28,000 TfL staff had to reset passwords in person. The Dial-a-Ride service for disabled passengers was unable to process bookings for weeks, and real-time arrival apps such as TfL Go and Citymapper went offline. Data belonging to millions of commuters was stolen. Prosecutors said the hackers could have caused "catastrophic damage" and, if systems had not been disconnected, potential indirect losses could have reached £56 billion.
The hackers
Jubair, 20, from Tower Hamlets, had 22 previous convictions, including stalking and hacks of BT/EE, Nvidia, and City of London Police. He was also charged in the United States with conspiracies to commit computer fraud, wire fraud, and money laundering, accused of extracting $115 million in ransom payments. Flowers, 18, from Walsall, was arrested while hacking two US healthcare providers, SSM Health and Sutter Health, just days after the TfL attack. Both lived with family, communicated via Telegram, and Flowers livestreamed the attack. Jubair was identified partly because he ordered a takeaway to his home using vouchers bought with cryptocurrency linked to a server storing ransom payments.
Scattered Spider disruption
The pair were central members of Scattered Spider, a loose collective of English-speaking hackers linked to attacks on MGM, Marks & Spencer, Harrods, and others. Paul Foster, head of the NCA's National Cyber Crime Unit, said the convictions had "severely degraded" the group's ability to operate.
Scattered Spider has been the most significant cybercrime threat to the U.K. in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice.
Sentencing
At Woolwich Crown Court on 16 July 2026, Judge Mark Turner sentenced both to five and a half years in prison. He acknowledged their youth but said the crime's seriousness demanded custody, noting they were "primarily motivated by selfish bravado, heedless of the severe consequences for others".


