Advertisement
UK

Teens who hacked TfL were known to police years before cyber-attack

Two teens convicted of TfL hack were known to police years earlier, raising questions about prevention.

UK

Teens who hacked TfL were known to police years before cyber-attack

Two young men who pleaded guilty this week to crippling Transport for London (TfL) with a cyber-attack had long histories of offending and were both known to law enforcement bodies years before the breach, the BBC has learned.

Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, admitted on Monday to carrying out the attack on TfL – a breach that disrupted services for months, affected the personal data of millions of people, and forced all 28,000 TfL employees to reset their passwords in person.

Two teens convicted of TfL hack were known to police years earlier, raising questions about prevention.

The pair were part of Scattered Spider, a loosely organised cyber-crime collective linked to dozens of other attacks, including on retailers Marks and Spencer and the Co-op. But the BBC has discovered that Flowers first came to police attention shortly after turning 16.

Advertisement

In October 2023, he was caught committing low-level cyber-crime and visited by officers from West Midlands Regional Cyber Crime Unit. Police said Flowers did not engage with them and was given a cease and desist order to deter further offending. Officers had the option to enrol him in the national Cyber Choices programme, designed to steer young people away from cyber-crime, but because he was already under investigation and reluctant to engage, they deemed him unsuitable.

Just months later, the teenager – living with his grandmother – went on to commit a series of increasingly serious offences with Scattered Spider, culminating in the TfL attack. He was eventually arrested in September 2024 in connection with the breach.

The case has raised questions about the effectiveness of interventions for young cyber-criminals. Experts told the BBC that perpetrators often do not appear to understand the real-world consequences of their actions.

Advertisement

National Crime Agency deputy director Paul Foster, who heads its National Cyber Crime Unit, said the case highlighted the challenges posed by a small number of highly capable offenders. He called for stronger legal powers, such as the proposed Cyber Crime Risk Orders (CCROs), which would allow police and courts to place restrictions on people considered high risk before they carry out further serious breaches. CCROs, announced by the UK government as part of planned reforms to the Computer Misuse Act, would “enable earlier law enforcement interventions against high-risk cyber-crime offenders,” Foster said.

Both Flowers and Jubair pleaded guilty on the first day of their trial.

Advertisement
Advertisement