Read more about the 2024 cyber-attack targeting Transport for London (TfL):
- TfL Admits Some Services Are Down Following Cyber-Attack
- TfL Confirms Customer Data Breach, 17-Year-Old Suspect Arrested
- Scattered Spider Teens Convicted of TfL Cyber-Attack
Two young men have been sentenced to five years and six months in prison each for the cyber-attack against Transport for London (TfL) after the judge found their actions were motivated in part by “selfish bravado” rather than purely financial gain.
Owen Flowers, 18, and Thalha Jubair, 20, were charged with committing unauthorised acts against TfL under the UK’s Computer Misuse Act (CMA). On June 22, 2026, they pleaded guilty to carrying out the attack in what was only the second criminal prosecution of its kind in the UK under the CMA.
The sentence was pronounced by Judge Justice Turner at Woolwich Crown Court, London, on July 16. It considers the guilty pleas for both defendants, as well as mitigating factors - such as their youth and diagnosed neurodiversity – and aggravating factors, notably the fact their “high expertise" meant they likely understood the impact of their actions.
Flowers and Jubair are believed to be part of a gang known as Scattered Spider. The group has been linked to major cyber-attacks over the past few years, including the Marks & Spencer and Co-op incidents in 2025.
Alongside other cybercriminal orgnaizations like Lapsus$ and ShinyHunters, Scattered Spider emanated from a loose collective known as The Com.
"To access victims, groups linked to The Com "mainly use phishing, voice phishing (vishing) and SIM swapping. They have also deployed ransomware strains and demonstrate a diverse range of tactics," said the UK’s National Crime Agency (NCA).
TfL Cyber-Attack Caused Significant Financial and Operational Impact
According to the NCA, the cyber-attack cost TfL £29m ($38m) in loss and recovery costs, with TfL claiming an additional £10m ($13.5m) in lost income.
While the incident did not directly impact the TfL transport system, it had a ripple effect on many of the company’s internal and customer-facing systems.
For instance, the perpetrators gained access to data from TfL’s Oyster refund system, leading to the company to close down applications for Oyster photocards for children and young people.
Additionally, the booking system for the Dial-a-Ride buses used by people with disabilities was shut down because of the breach and data on live tube times for mobile apps like TfL Go and CityMapper was taken offline.
Some TfL staff members were sent to work from home for the whole of September 2024 and over 27,000 employees were also required to reset their passwords in person.
In total, the hack is estimated to have affected between seven and 10 million people across the UK.
Had the attack succeeded in shutting down the transport network the estimated cost to the UK economy could have been up to £56bn ($75bn), according to the NCA.
Social Engineering and 2FA Reset
Flowers was 17 and Jubair was 18 when they gained access to TfL systems on 31 August, 2024. They maintained access to the system until September 3, 2024.
A senior NCA officer confirmed the two young men used TfL employees’ partial user credentials obtained from “well-known online criminal marketplaces and forums,” as well as other social engineering techniques to gain access to the system and request a two-factor authentication (2FA) reset.
“It took multiple attempts to successfully reset that 2FA, so they were persistent – as we know they are – and then they then worked to escalate privileges within TfL systems,” the senior NCA officer added.
Flowers and Jubair were in close contact throughout the whole operation, with Telegram messages between the pair mentioning they gained access to TfL's database of people with Oyster cards.
The pair also streamed some of the “progress of their activity” to a live audience, said Justice Turner during the sentencing.
Flowers had a history with law enforcement prior to the TfL case. In October 2023, West Midlands Police issued him a cease and desist notice. At that time, he was offered the opportunity to undergo training and receive guidance concerning computer misuse laws, but he declined to take part.
Following his arrest and charges relating to the TfL hacking incident in 2024, Flowers was granted bail, though subject to stringent conditions. He failed to comply with these conditions on two separate occasions - once in October 2024 and again in May 2025. Additionally, he received a formal warning in March 2025.
Jubair's contact with police also predates the TfL case, stretching back several years. Notably, in 2023, when he was still a minor, he was handed a Youth Rehabilitation Order for offences connected to Lapsus$. Reporting restrictions at the time meant his identity remained protected due to his age.
Jubair's criminal record is extensive, comprising 22 prior convictions, with his offending beginning at just 14 years old. Beyond his UK case, he is also sought by US authorities in relation to cybercrimes allegedly involving the theft and extortion of millions of dollars from victims.
UK's Largest Cybercrime Prosecution
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said, “This is the largest cybercrime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, Crown Prosecution Service (CPS) and our policing partners.”
“Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” he added.
According to the NCA, the threat from serious and organized cybercrime to the UK remains very high in 2026.
"The intent of cybercriminals impacting the UK remains consistent; while there has been a small number of attacks from UK-based individuals whose motivation includes notoriety, the vast majority of attacks are conducted by criminals based in other jurisdictions, for financial gain," said an NCA spokesperson.
Image credit: Mounir Taha / Shutterstock.com
