Advertisement
UKExplainer

What was the TfL cyber attack? The 2024 hack explained

The 2024 hack on Transport for London by teenage hackers who stole millions of data and cost £29m.

UK

What was the TfL cyber attack? The 2024 hack explained

In August 2024, two teenage hackers spent 16 hours live-streaming a cyber attack on Transport for London (TfL) that gave them the highest level of access to the capital's transport network, forcing TfL to 'pull the plug' on its own systems. The attack, which cost £29 million in damages and £10 million in lost income, was carried out by Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, who were both jailed for five years and six months in July 2026. The pair were members of Scattered Spider, a loosely organised cyber crime collective that has been linked to dozens of other attacks, including on retailers Marks and Spencer, the Co-op, and Jaguar Land Rover.

The hack began at 5pm on 31 August 2024 when Flowers and Jubair tricked a TfL helpdesk employee into resetting the password of a staff member they impersonated. Once inside, they logged onto Microsoft Azure and used TfL's own systems to escalate their privileges, creating a 'domain admin' account that prosecutors described as 'the keys to the kingdom'. Over the next four days, they accessed databases containing personal data of up to 10 million TfL customers, searched for celebrities' details, and attempted to access banking information. TfL became aware of the breach through the National Crime Agency (NCA) and responded by logging out all 27,000 employees and disconnecting TfL systems from the internet, which left 148 technology systems inoperable. Because of the disruption, Oyster and contactless payments could not be processed, Dial-a-Ride services for disabled passengers were unable to take bookings, and all staff had to attend offices in person to reset their passwords.

The 2024 hack on Transport for London by teenage hackers who stole millions of data and cost £29m.

The Scattered Spider group, which has recruited young English-speaking hackers in the UK, US and Finland, is considered by the NCA to be one of the biggest threats to the UK's cyber security. Flowers and Jubair were computer-obsessed loners who had few offline friends and spent most of their time online. Both had autism. At Woolwich Crown Court, the judge said their actions were 'primarily motivated by selfish bravado, heedless of the severe consequences for others'. The prosecution argued the hack could have caused 'catastrophic damage' and, had the pair encrypted or destroyed TfL's central 'OneLondon' system, a potential loss of £56 billion to the UK economy.

Advertisement

The attack on TfL is a stark reminder of the vulnerability of critical national infrastructure to social engineering and the growing threat posed by young, skilled hackers. For UK readers, the incident directly affected millions of commuters who rely on TfL's services and raised questions about the security of personal data held by public bodies. The £29 million cost—equivalent to around £1 per London journey in 2024—will be borne by taxpayers and passengers.

Q: How did the hackers get into TfL's systems? They used a social engineering trick: calling the TfL helpdesk, impersonating a staff member, and convincing the employee to reset that person's password. From there, they used TfL's own Microsoft Azure environment to climb to the highest admin level.

Q: What personal data was stolen? The hackers accessed TfL's database of Oyster card customers, which contained the personal details of up to 10 million people. They also searched for celebrities' details and tried to access banking information. The data was later shared in criminal forums.

Advertisement

Q: What is Scattered Spider? Scattered Spider is a loosely coordinated group of young, mostly English-speaking cyber criminals. They have been linked to hacks on M&S, the Co-op, Jaguar Land Rover, and Harrods, causing hundreds of millions of pounds in losses. The group uses social engineering to gain initial access and then deploys ransomware or steals data.

What happens next? Flowers and Jubair are now serving their sentences. However, the stolen TfL data continues to circulate among criminal groups, and the NCA warns that young hackers remain a major threat. TfL has said it has implemented new security measures to prevent a repeat, but the case underscores the ongoing need for public and private organisations to strengthen their defences against social engineering attacks.

Advertisement
Advertisement