Two young men convicted of a cyber-attack that crippled Transport for London (TfL) for months had long histories of offending and were known to law enforcement bodies years before the breach, the BBC has learnt.
Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty on Monday to carrying out the 2024 attack, which disrupted TfL services, affected the personal data of millions, and forced all 28,000 employees to reset their passwords in person.
“Two teens convicted over TfL cyber-attack were known to police years earlier, raising questions about intervention.”
The pair were part of the cyber-crime collective Scattered Spider, a loosely organised gang of young English-speaking hackers linked to attacks on retailers Marks and Spencer and the Co-op.
But authorities had made frequent attempts to curb their offending – attempts that ultimately failed. Flowers first came to police attention shortly after his 16th birthday. In October 2023, he was caught carrying out low-level cyber-crime and visited by West Midlands Regional Cyber Crime Unit prevent officers. During the visit, according to police, he did not engage with officers and was given a cease and desist order to deter further offending.
Police had the option to invite him into the national Cyber Choices programme, designed to steer young people away from cyber-crime. But because Flowers was already under investigation for an offence and was reluctant to engage, they deemed him not suitable.
Just months later, the teenager – who was living with his grandmother – went on to commit increasingly serious offences with Scattered Spider, culminating in the TfL attack. He was eventually arrested on 16 September 2024.
The case raises questions over the effectiveness of interventions with young cyber-criminals. Experts have told the BBC that perpetrators often do not understand the real-world consequences of their actions.
Paul Foster, deputy director of the National Crime Agency and head of its National Cyber Crime Unit, said the case highlighted the challenges posed by a small number of highly capable offenders. He called for stronger legal powers – such as the proposed Cyber Crime Risk Orders (CCROs) – to deal with such cases. CCROs, announced by the UK government as part of planned reforms to the Computer Misuse Act, would allow police and courts to place restrictions on people considered high risk before they carry out further serious breaches. They would “enable earlier law enforcement interventions against high-risk cyber-crime offenders,” Foster said.
Whether those powers would have stopped Flowers and Jubair remains an open question.