Teen Hackers Sentenced for £39m TfL Cyber-Attack
Teen Hackers Jailed for TfL Cyber-Attack Costing £39m

Two teenage hackers who infiltrated Transport for London's IT systems and held the "keys to the kingdom" were sentenced to five and a half years each on Thursday. Thalha Jubair, 20, and Owen Flowers, 19, pleaded guilty in June to the cyber-attack that occurred between 31 August and 3 September 2024, costing TfL £39m and compromising the data of around 7 million people.

Attack Details and Impact

The hackers gained the highest privileged access to TfL's systems, creating a "domain admin" account described in court as "the keys to the kingdom." According to prosecutors, they "could have shut out and shut down TfL completely." The attack prevented live tube arrival information on the TfL Go app and website, and TfL was unable to process payments on Oyster and contactless apps or register Oyster cards to customer accounts. The dial-a-ride service for disabled passengers was also unable to process bookings for a period.

TfL's head, Andy Lord, said the attack was the worst incident he had faced in his career. TfL stated the attack could have caused "catastrophic damage" to its technology systems and led to "significant and extended transport service degradation and disruption." The duo were only stopped when TfL effectively "pulled the plug" on its systems.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

Sentencing and Motives

Sentencing the pair at Woolwich Crown Court, Mr Justice Turner said the attack was "primarily motivated by selfish bravado, heedless of the severe consequences to others." The attack cost TfL £39m—£29m in damage to IT systems and £10m in lost income. The data of about 7 million people was stolen, and 27,000 TfL staff were forced to reset their passwords.

Jubair and Flowers were key figures in the hacker collective Scattered Spider, which is suspected of numerous hacks. The National Crime Agency said the convictions had "effectively halted the group's criminal activity." Both had accrued millions of dollars in cryptocurrency through their activities.

Background of the Hackers

Jubair, from Bow, east London, lived with his parents in a council flat. He had been convicted of 22 offences as a teenager, including fraud and computer misuse. Flowers, from Walsall, West Midlands, lived with his grandmother and uncle. He had been subject to a cease-and-desist notice from West Midlands police in October 2023 and turned down training to guide him away from cybercrime.

Both defendants have been diagnosed with autism; Jubair also has depression and a severe mood disorder. The court heard that Jubair had tried to kill himself and was "isolated and bullied at school." Flowers was described as an "immature child trying to show off online" with an "unsettled childhood."

Method of Attack

The hackers accessed TfL's systems via an unnamed co-conspirator who called the TfL help desk with stolen login details, pretending to be an employee. A call handler was tricked into resetting authentication to a device controlled by Jubair and Flowers, who then escalated their access. The attack was not ransomware; however, the pair had access to vast sums of money, with $10m moved from Jubair's crypto wallets after his release from custody, and $200m-worth of crypto moving through accounts belonging to him. Flowers held $7.1m in accounts he controlled despite having no source of income.

Pickt after-article banner — collaborative shopping lists app with family illustration