Two British hackers have each been jailed for five years and six months after carrying out the 2024 Transport for London (TfL) cyber attack. Investigators say the pair used social engineering to gain access to TfL’s network, exposing customer data and causing widespread disruption.
Key Takeaways
| Key Point | Details |
|---|---|
| Two hackers jailed | Owen Flowers and Thalha Jubair each received 5½-year prison sentences. |
| Millions affected | Personal data linked to millions of TfL customers was compromised. |
| Attack used deception | Hackers tricked an IT helpdesk employee instead of exploiting software flaws. |
Fast Facts
| Fact | Information |
|---|---|
| Attack period | 31 Aug – 3 Sept 2024 |
| Hackers | Owen Flowers (18), Thalha Jubair (20) |
| Hacker group | Scattered Spider |
| Sentencing | 16 July 2026 |
| Financial impact | About £29 million |
| Systems disrupted | 148 |
| Employees affected | Around 27,000 required password resets |
| Customer records | Up to 10 million affected |
What Happened
Two young members of the cybercrime group Scattered Spider have been sentenced after carrying out one of the UK’s most disruptive cyber attacks against Transport for London (TfL).
Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from East London, admitted their role in the 2024 attack before being sentenced to five years and six months in prison each at Woolwich Crown Court.
The breach forced TfL to disconnect critical systems, reset employee credentials across the organization, and begin a lengthy recovery process after customer information was exposed.
Investigators said the hackers were motivated largely by reputation within online cybercrime communities rather than financial reward alone.operational disruption.
How the TfL Cyber Attack Was Carried Out
Unlike many large cyber attacks, investigators said this breach did not begin with sophisticated malware or a newly discovered software vulnerability.
Instead, the attackers relied on social engineering—convincing an IT support worker that they were a legitimate employee who needed account assistance.
Once access was granted, they registered their own device for multi-factor authentication, allowing them to enter TfL’s internal systems.
From there, they gradually increased their access privileges, moved across multiple internal networks, created hidden access routes for future logins and removed system logs to make detection more difficult.
The court also heard the pair streamed part of the intrusion online while the attack was taking place.
How the Hack Was Carried Out
Investigators said the attackers relied on social engineering rather than sophisticated malware. By manipulating a support desk employee into resetting login credentials, they bypassed security controls and gained access to sensitive systems.
Court proceedings also revealed that the pair streamed parts of the attack online and exchanged messages celebrating their access to TfL databases, highlighting how online notoriety was a major motivation behind the crime.
Attack Timeline
| Date | What Happened |
|---|---|
| 31 Aug 2024 | Attack began after hackers gained initial network access. |
| 1 Sept 2024 | National Crime Agency detected suspicious activity and alerted TfL. |
| 1–3 Sept 2024 | TfL shut down systems and removed hackers from the network. |
| Sept 2024 | Suspects arrested by the National Crime Agency. |
| June 2026 | Both pleaded guilty before trial. |
| 16 July 2026 | Each sentenced to five years and six months in prison. |
How Investigators Tracked the Hackers
The National Crime Agency worked with the City of London Police, the FBI and other partners to identify those responsible.
When officers arrested Owen Flowers, investigators said he was allegedly carrying out cyber attacks against US healthcare organisations at the same time.
Digital evidence recovered from laptops, hard drives, messaging platforms and recorded videos linked both defendants directly to the TfL intrusion.
Authorities also recovered cryptocurrency assets and online communications showing discussions about the attack.
Impact on TfL
The breach disrupted far more than customer accounts.
Around 148 technology systems became unavailable during recovery, while approximately 27,000 employees had to attend offices in person to reset passwords.
Several public services experienced delays, including Dial-a-Ride bookings, Oyster-related services and customer refund systems.
TfL estimated the incident cost approximately £29 million in recovery expenses and operational disruption.
Why This Attack Matters
Security experts say the case demonstrates that people—not software—can often become the weakest point in cybersecurity.
Rather than exploiting technical flaws, the attackers manipulated human trust to gain access to critical infrastructure.
The case has also renewed calls for stronger identity verification, improved employee training and stricter protection for organisations responsible for essential public services.
Investigators warned that social engineering remains one of the fastest-growing cyber threats facing governments and businesses worldwid
Official Response
The National Crime Agency described the prosecution as one of the UK’s most significant cybercrime cases.
Officials said early cooperation from TfL helped investigators contain the breach before it caused even greater disruption.
Security Minister Dame Angela Eagle said the convictions should serve as a warning that attacks against critical national infrastructure carry serious consequences.
Transport for London also thanked investigators and said it continues strengthening security measures to better protect customer information.
Bottom Line
The TfL cyber attack has become one of the UK’s most significant cybercrime cases because it showed how a simple act of deception can lead to major disruption. The convictions of Owen Flowers and Thalha Jubair close an important chapter in the investigation, but the case also highlights why organizations continue investing in stronger cybersecurity, employee awareness, and faster incident response.