TfL Hackers Could Have Caused 'Catastrophic Damage,' Court Hears
TfL Hackers Could Have Caused 'Catastrophic Damage'

Two 'experienced and talented' hackers forced Transport for London (TfL) to 'pull the plug' on its systems at a cost of £29 million, a court has heard. Thalha Jubair, 20, and Owen Flowers, 18, conducted an 'extremely serious hack' on TfL's online network between August 31 and September 3 2024, which could have done 'catastrophic damage'.

Hack Details and Impact

The hack forced all of TfL's more than 27,000 employees to attend an office to reset their passwords. Data from the Oyster refund system was accessed, contactless systems were delayed, and applications for Oyster photocards for children and young people were closed down. The pair appeared at Woolwich Crown Court on Wednesday after admitting their roles.

Mark Fenhalls KC, prosecuting, said: 'These two young men are highly skilled with computers and capable of wreaking havoc and you may think wholly indifferent to the consequences for the public and the potential suffering and costs to others.' Along with the £29 million in damages from disruption to services and operational work, TfL claims the incident cost £10 million in lost income.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

How the Hack Unfolded

The hackers worked through the night for 16 hours to access the TfL systems after tricking the helpdesk into resetting a password for them. They then logged on to Microsoft Azure and began 'using TfL's own systems to hack itself' as they moved up through the system. 'They are both experienced and talented hackers who were together in concert with others to attack TfL,' said Mr Fenhalls.

The prosecution added that the hackers 'could have shut out and shut down TfL completely' as they eventually had the 'highest privileged access' in the system, known as 'the keys to the kingdom'. A TfL victim impact statement read in court said: 'It is possible that access could have been sufficient to enable the actor to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption.'

Links to Scattered Spider Group

The defendants were tied to a group known as Scattered Spider, which the National Crime Agency (NCA) has linked to other cyberattacks on Jaguar Land Rover and retailers including Marks & Spencer. Flowers also livestreamed Jubair as he conducted the hack, and some of the videos were recovered when he was arrested three days later on September 6.

The pair were in constant contact during the attack, and spoke about 'nuking access' to the servers on their way out. Mr Fenhalls said: 'They were utterly reckless about the consequences of hacking TfL, the transport network and the communications for the country. It only came to an end because TfL threw them out rather than they chose to stop.'

Evidence and Sentencing

Together they used remote servers to conceal the origin of the attack, created virtual machines within the TfL system to destroy evidence, downloaded millions of lines of data, and created multiple back doors. The prosecution underlined a potential loss of billions to the UK if the hackers had locked or destroyed the central TfL system. 'This is hacking of the most serious sort with the ability to do remarkable levels of damage,' said Mr Fenhalls.

Defending Jubair, Paul Keleher KC compared his client to a 'modern day Oliver Twist' who had been groomed from a young age. Mr Justice Turner said: 'There's no Fagan in this case, it's a Faganless crime. He has an audience but he doesn't have a puppet master, he's promoted himself to an instigator and perpetrator.' Jubair was sentenced last year for 22 offences including hacks on individuals, telecoms businesses and the City of London Police system.

On behalf of Flowers, who was 17 when he conducted the hack, Adam Davis KC described his client as an 'immature child trying to show off online'. When Flowers was arrested in September 2024, his laptop was found in the process of hacking two US healthcare systems. Those hacks were only stopped because of the 'fortuitous timing' of his arrest.

Both young men admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage. Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems. Mr Justice Turner will pass sentence on the hackers at 11.30am on Thursday.

Pickt after-article banner — collaborative shopping lists app with family illustration