Advertisement
TechExplainer

Teenage hackers and the TfL cyber-attack: explained

Explains the TfL cyber-attack by teenage hackers, Scattered Spider group, and UK cyber security risks.

Tech

Teenage hackers and the TfL cyber-attack: explained

Two teenage hackers who bragged on livestream about breaking into Transport for London’s systems—and could have shut down the Tube altogether—have been jailed for five and a half years each. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty to carrying out the 2024 cyber-attack that cost TfL £39 million, stole data on up to 10 million customers, and forced all 27,000 staff to reset their passwords in person. The case is the largest cybercrime prosecution in UK history, and it has shone a spotlight on a new breed of young, computer-obsessed hackers who the National Crime Agency (NCA) now considers one of the biggest threats to the nation’s cyber security.

The attack began at 5pm on 31 August 2024, when the pair tricked a TfL helpdesk worker into resetting a password for an employee they were impersonating. Over the next 16 hours—streamed live online—they burrowed into TfL’s systems, gaining “the keys to the kingdom” by creating a domain admin account with the highest level of access. They searched TfL’s customer database for the personal details of London celebrities and attempted to access banking information. The hackers were part of Scattered Spider, a loosely coordinated group of English-speaking cybercriminals, mostly aged 16 to 25, that has been linked to attacks on MGM Resorts, Marks & Spencer, the Co-op, and other major firms. Authorities in the UK, US, Spain and Finland have arrested young men and boys linked to the group in recent years.

Explains the TfL cyber-attack by teenage hackers, Scattered Spider group, and UK cyber security risks.

TfL was alerted to the breach by the NCA and fought to kick the hackers out. Eventually, it logged out all staff and disconnected its systems from the internet—effectively “pulling the plug” on its own network. By then, 148 technology systems were inoperable, the Dial-a-Ride service for disabled and vulnerable Londoners was disrupted, and TfL was unable to process Oyster or contactless payments or register new Oyster cards. The financial impact was £29 million in direct costs plus an estimated £10 million in lost income. Sentencing the pair at Woolwich Crown Court, Mr Justice Turner said the attack was “primarily motivated by selfish bravado, heedless of the severe consequences to others.” Both men were described as loners with few offline friends; Flowers was living with his grandmother and uncle in Walsall, while Jubair lived in a council flat in Bow with his parents. The judge acknowledged their neurodiversity and immaturity, but stressed the sophistication of the hacking and the scale of the harm.

Advertisement

For UK readers, this case is a stark reminder of how vulnerable critical infrastructure can be to relatively young, amateur criminals. Scattered Spider has been described by the NCA as “the most significant cybercrime threat to the UK in recent years.” The attack did not directly stop Tube trains or buses, but it caused months of disruption to online services, forced all TfL employees to physically attend a workplace to reset passwords, and—according to TfL—could have caused “catastrophic damage” and “significant and extended transport service degradation” if the hackers had not been stopped. The personal data of millions of customers, including Oyster card details, remains circulating in criminal forums. The case also marks only the second conviction under Section 3ZA of the Computer Misuse Act 1990, a law reserved for the most serious cyber offences that cause or risk serious damage.

Q: How did the teenagers gain access to TfL’s systems? They tricked a TfL helpdesk worker into resetting the password of an employee they were impersonating, a technique known as social engineering. Once inside, they created a “domain admin” account—described in court as “the keys to the kingdom”—giving them full control of the network.

Q: What is Scattered Spider? Scattered Spider is a loosely connected group of English-speaking cybercriminals, mostly young men aged 16 to 25. They have claimed responsibility for high-profile attacks on MGM Resorts, WestJet, and British retailers, and are considered the most significant cybercrime threat to the UK by the NCA.

Advertisement

Q: What personal data was stolen in the TfL hack? The hackers stole the personal data of up to 10 million TfL customers, including Oyster card details. They searched the database for celebrities’ personal information and attempted to access banking details. The data is still being shared on criminal forums.

The jailing of Flowers and Jubair is the culmination of a nearly two-year investigation described by the NCA as “the largest cybercrime prosecution ever brought before the UK courts.” While the NCA says the action has “effectively halted the group’s criminal activity,” it warns that other cybercriminals may continue to use the Scattered Spider brand. The case also underscores the growing challenge of teenage hackers—many living ordinary, isolated lives—who can inflict outsized damage on vital public services. With the conviction secured, the NCA’s focus will now be on other members of the group both in the UK and abroad, as authorities in the US, Spain and Finland pursue related investigations.

Advertisement
Advertisement