Two men who broke into the heart of Transport for London’s computer systems as teenagers – streaming the 16-hour attack live and boasting of holding the “keys to the kingdom” – were each sentenced to five years and six months in prison on Thursday.
Owen Flowers, 18 at the time of the hack and now 19, from Walsall, and Thalha Jubair, then 18 and now 20, from east London, pleaded guilty in June to carrying out the September 2024 cyber-attack that cost TfL £39m – £29m in direct costs and £10m in lost income. The pair were part of the loosely coordinated hacking collective Scattered Spider, which has been linked to attacks on retailers including Marks and Spencer and the Co-op.
“Two teenage hackers jailed for five and a half years each after crippling Transport for London in a £39m cyber-attack.”
At Woolwich Crown Court, the judge, Mr Justice Turner, said the attack was “primarily motivated by selfish bravado, heedless of the severe consequences to others”. TfL’s commissioner, Andy Lord, a former British Airways executive, described it as the worst incident he had faced in his career.
The breach began at 5pm on 31 August 2024, when Flowers and Jubair tricked a phone help-desk worker into resetting the password of an employee they were impersonating. Telegram messages between them showed them boasting about accessing TfL’s database of Oyster card holders; they then searched for the personal details of London celebrities and attempted to access banking information.
Prosecutors said that at one point they “could have shut out and shut down TfL completely”, having created a “domain admin” account described in court as “the keys to the kingdom”. Flowers later joked, “Scattered Spider is creating webs on the London Underground.”
The attack disrupted TfL’s online services for months, stole the data of millions of customers, and forced all 27,000 employees to reset their passwords in person. TfL was unable to process payments on Oyster and contactless apps or register cards to accounts. The dial-a-ride service for disabled passengers could not process bookings for a period. TfL’s IT team eventually logged out all staff and disconnected systems from the internet – “pulling the plug”, in the words of the court – to stop the hackers. In total, 148 technology systems became inoperable.
Both men were described as computer-obsessed loners with few offline friends. Jubair lived with his parents in a council flat in Bow, east London; Flowers lived with his grandmother and uncle in Walsall. Flowers also received the same sentence for hacking two US healthcare providers.
The National Crime Agency has warned that the rise of young hackers is one of the biggest threats to the UK’s cyber security. As revealed by the BBC, the stolen TfL database – containing details of as many as 10 million customers – is still being shared among criminal groups.