Infosecurity

‘Selfish Bravado’ Behind TfL Cyber-Attack, Judge Says as Pair Jailed for Five Years

Published

on

Two men who breached Transport for London’s systems in 2024, stealing data from millions of Oyster card users and forcing the shutdown of key accessibility services, have been sentenced to five years and six months in prison.

Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty in June 2026 to unauthorized acts under the UK’s Computer Misuse Act. The judge at Woolwich Crown Court, Justice Turner, said the attack was driven partly by “selfish bravado” — not purely by money.

The case is the second criminal prosecution of its kind under the CMA in the UK. And it’s the largest cybercrime prosecution ever brought before British courts, according to the National Crime Agency (NCA).

How the TfL cyber-attack unfolded

Flowers was 17 and Jubair 18 when they first broke into TfL systems on August 31, 2024. They held access for three days.

Their entry point? Partial employee credentials bought from “well-known online criminal marketplaces and forums,” a senior NCA officer confirmed. Then came social engineering: multiple attempts to reset two-factor authentication (2FA) for TfL staff accounts.

“It took multiple attempts to successfully reset that 2FA, so they were persistent — as we know they are,” the officer said. Once inside, the pair escalated privileges, moving deeper into TfL’s network.

Telegram messages between the two showed they knew they’d accessed the database of Oyster cardholders. They even streamed their progress live to an online audience, the judge noted.

£29m in damages — and a near miss for the UK economy

The TfL cyber-attack cost the transport body £29 million ($38 million) in direct losses and recovery. TfL also reported an additional £10 million ($13.5 million) in lost income.

While the hackers never shut down trains or buses, the operational fallout was severe:

  • The Oyster refund system was compromised, forcing TfL to close applications for Oyster photocards for children and young people.
  • The Dial-a-Ride booking system — used by people with disabilities — was taken offline.
  • Live Tube data on apps like TfL Go and CityMapper was suspended.
  • Over 27,000 TfL employees had to reset their passwords in person.
  • Some staff worked from home for the whole of September 2024.

In total, between seven and 10 million people across the UK were affected. Had the attackers succeeded in disabling the transport network, the NCA estimated the cost to the UK economy could have reached £56 billion ($75 billion).

Scattered Spider: from teenage hackers to a major threat

Flowers and Jubair are believed to be part of Scattered Spider, a hacking group linked to attacks on Marks & Spencer and Co-op in 2025. Scattered Spider emerged from a loose collective known as The Com, which also spawned groups like Lapsus$ and ShinyHunters.

The NCA describes Scattered Spider as “the most significant cybercrime threat to the UK in recent years.” Their tactics? Phishing, voice phishing (vishing), SIM swapping, and ransomware.

Jubair’s record is extensive: 22 prior convictions, starting at age 14. In 2023, he received a Youth Rehabilitation Order for offences linked to Lapsus$. He is also wanted by US authorities for alleged cybercrimes involving the theft and extortion of millions of dollars.

Flowers had a history too. In October 2023, West Midlands Police issued him a cease-and-desist notice. He was offered training on computer misuse laws — and turned it down. After his arrest for the TfL hack, he was granted bail but violated conditions twice: once in October 2024 and again in May 2025. He also received a formal warning in March 2025.

Sentencing: youth, neurodiversity, and high expertise

Justice Turner weighed mitigating factors — the defendants’ youth and diagnosed neurodiversity — against aggravating ones, particularly their “high expertise,” which meant they likely understood the full impact of their actions.

The five-and-a-half-year sentences reflect that balance. Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, called the prosecution “the culmination of nearly two years of painstaking work by the NCA, Crown Prosecution Service (CPS) and our policing partners.”

“Through this investigation, we have severely disrupted that threat and brought key offenders to justice,” Foster added.

What this means for UK cybercrime in 2026

The NCA warns that the threat from serious organized cybercrime to the UK remains “very high” in 2026. While a small number of attacks come from UK-based individuals motivated by notoriety, the vast majority are launched by criminals abroad, driven by financial gain.

The TfL cyber-attack case sets a significant precedent. It shows UK courts are willing to hand down long sentences for cyber intrusions — even when the perpetrators are teenagers. And it underscores the vulnerability of critical public infrastructure to determined, socially engineered attacks.

For TfL, the recovery continues. For the millions of Londoners whose data was exposed, the question remains: how many more attacks like this are coming?

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version