Young British hackers jailed for London transport cyberattack
A UK court on Thursday jailed two young men for a 2024 cyberattack on London's public transport operator that exposed the details of millions of customers, in one of Britain's biggest data breaches.
Thalha Jubair, 20, from east London, and 18-year-old Owen Flowers from England's West Midlands were each handed five-and-a-half-year sentences at London's Woolwich Crown Court.
The pair pleaded guilty last month to hacking Transport for London's (TfL) network between August 31 and September 3 2024, gaining access to around seven million customers' names and contacts.
Sentencing the men, judge Mark Turner said their actions had caused "very serious" disruption and were motivated primarily by "selfish bravado".
The attack did not affect transport on TfL's networks but knocked its services offline for three months, costing the organisation around £25 million ($33 million), according to the judge.
TfL, which had to reset the passwords of some 27,000 employees, estimated the attack cost £29 million in damages and £10 million in lost income.
With the level of control they achieved over multiple days in the system, prosecutors said the British pair "could have shut down TfL completely" and potentially caused "catastrophic damage".
Both men were linked to Scattered Spider, an online criminal collective believed to be behind a string of high-profile cyberattacks, including on British retailers Marks & Spencer and the Co-op.
Arrested in September 2025 following a National Crime Agency (NCA) investigation, the pair were described by prosecutors as "experienced and talented" hackers who had been known to police for years.
Flowers also admitted to two counts of hacking into US-based organisations, Sutter Health and SSM Health Care Corporation.
When the NCA raided Flowers' home on September 6 2024 as part of their TfL investigation, they found him actively carrying out those attacks.
Jubair had previously been convicted as a juvenile over cyberattacks targeting US chipmaker Nvidia and admitted hacking the City of London Police force.
- 'Keys to the kingdom' -
The pair gained access to the transport network using TfL employee credentials found on "russianmarket", a dark web marketplace for stolen logins, prosecutor Mark Fenhalls told the court on Wednesday.
They worked for 16 straight hours and throughout the night, communicating via messaging app Telegram, to breach the system after convincing the helpdesk to reset an employee password.
During the intrusion, the teenagers searched the network for the travel histories of celebrities and tried to access customers' payment information.
After gaining more privileges in the system over several days, the hackers effectively held "the keys to the kingdom", giving them "control over the whole network", Fenhalls said.
During the intrusion, Flowers told Jubair that "the government deserves to be hacked", the court heard, as TfL and authorities, who discovered the attack on September 1 2024, took days to regain control of the network.
- Scattered Spider -
The NCA's cybercrime boss Paul Foster said the conviction marked "the largest criminal prosecution of cyber offenders in UK history".
Scattered Spider is "responsible for some of the most serious and damaging cyber attacks affecting the UK and countries around the world," he said in comments made outside the court Wednesday.
"As a result of this investigation, that threat has been significantly disrupted and degraded," he added.
Jubair began hacking as a child, teaching himself to code when he was 10 before attracting the attention of older cybercriminals by age 14, the court heard.
His lawyer, Paul Keleher, told the court he had been groomed and exploited by online criminals while under 18 to conduct cyberattacks globally.
Judge Turner said the TfL attack showed he had moved from being exploited to becoming a perpetrator himself.
While remanded in custody, Flowers managed to gain access to online tools to attempt to hack into multiple international government domains.
C.Osborn--MC-UK