UK Court Jails Young Hackers Over London Transport Cyberattack

News Desk
UK Jails Hackers Thalha Jubair, Owen Flowers Over TfL Attack
Credit: Reuters/Finance Uncovered

Key Points

  • Thalha Jubair, 20, and Owen Flowers, 18, were jailed for five-and-a-half years each at Woolwich Crown Court over a 2024 cyberattack on Transport for London (TfL).
  • The pair pleaded guilty last month to hacking TfL’s network between 31 August and 3 September 2024, accessing the personal details of around seven million customers.
  • Judge Mark Turner said the attack caused “very serious” disruption driven mainly by “selfish bravado”.
  • The cyberattack knocked TfL’s services offline for three months and cost the organisation roughly £25 million, according to the judge.
  • TfL had to reset the passwords of some 27,000 staff members, with total damages estimated at £29 million and lost income at £10 million.
  • Prosecutors said the hackers gained enough control that they “could have shut down TfL completely”.
  • Both men were linked to Scattered Spider, an online criminal network also connected to attacks on Marks & Spencer and the Co-op.
  • Owen Flowers additionally admitted hacking two US healthcare organisations, Sutter Health and SSM Health Care Corporation.
  • Thalha Jubair had previously been convicted as a juvenile over attacks on Nvidia and had also admitted hacking the City of London Police force.
  • The National Crime Agency described the case as the largest criminal prosecution of cyber offenders in UK history.

Woolwich (Britain Today News) July 16, 2026 – A UK court on Thursday jailed two young men for a 2024 cyberattack on London’s public transport operator that exposed the personal details of millions of customers, in what has been described as one of Britain’s biggest data breaches. Thalha Jubair, 20, from East London, and 18-year-old Owen Flowers from England’s West Midlands were each handed five-and-a-half-year sentences at Woolwich Crown Court after admitting their roles in the breach of Transport for London’s (TfL) systems.

What happened in the Transport for London cyberattack?

The pair pleaded guilty last month to hacking TfL’s network between 31 August and 3 September 2024, during which they gained access to the names and contact details of around seven million customers. Although the attack did not disrupt physical transport services across TfL’s network, it forced the organisation to take core systems offline for three months while engineers worked to contain the breach and rebuild secure infrastructure.

The scale of the intrusion alarmed prosecutors, who told the court that with the level of control the hackers achieved over multiple days inside TfL’s systems, they “could have shut down TfL completely” and potentially caused “catastrophic damage” to one of the world’s busiest transport networks.

Who are Thalha Jubair and Owen Flowers?

Jubair, from East London, and Flowers, from the West Midlands, were arrested in September 2025 following an investigation by the National Crime Agency (NCA). Prosecutors described the pair as “experienced and talented” hackers who had been known to police for a number of years before their arrest.

The court heard that Jubair began hacking as a child, teaching himself to code at the age of ten before attracting the attention of older cybercriminals by the time he was fourteen. His lawyer, Paul Keleher, told the court that Jubair had been groomed and exploited by online criminals while still under eighteen and had been directed to carry out cyberattacks around the world.

What sentence did the hackers receive?

Both Jubair and Flowers were sentenced to five and a half years in prison at Woolwich Crown Court. Passing sentence, Judge Mark Turner said the attack on TfL had caused “very serious” disruption and that the pair’s actions had been motivated primarily by “selfish bravado” rather than financial gain alone.

The judge noted that although Jubair had initially been drawn into cybercrime as a minor and a victim of grooming, the TfL attack demonstrated that he had since moved from being exploited by others to becoming a perpetrator in his own right.

How did the hackers gain access to TfL’s network?

According to prosecutor Mark Fenhalls, the two men gained access to the transport network using TfL employee credentials that had been found on “russianmarket”, a dark web marketplace known for trading stolen login details. Fenhalls told the court on Wednesday that the pair worked for sixteen consecutive hours, including through the night, communicating with one another via the messaging app Telegram, to breach the system after successfully convincing TfL’s IT help desk to reset an employee’s password.

Fenhalls said that once inside, the hackers spent several days expanding their access and privileges within the network. By the later stages of the intrusion, he said, the teenagers effectively held “the keys to the kingdom”, giving them “control over the whole network”.

What did the hackers do once inside TfL’s systems?

During the intrusion, the court heard, the pair searched TfL’s systems for the travel histories of celebrities and attempted to access customers’ payment information. The breach was only discovered by TfL and the authorities on 1 September 2024, and it took investigators several days to fully regain control of the network from the intruders.

Prosecutors told the court that while inside the system, Flowers messaged Jubair that “the government deserves to be hacked”, a remark cited by prosecutors as evidence of the pair’s motivation and mindset during the attack.

How much financial damage did the cyberattack cause?

Judge Turner said the attack cost TfL around £25 million (US$33.7 million) in total. Separately, TfL itself estimated that the breach resulted in £29 million in direct damages and a further £10 million in lost income, as the organisation was forced to overhaul parts of its digital infrastructure in the aftermath.

As part of its emergency response, TfL had to reset the passwords of approximately 27,000 members of staff to prevent further unauthorised access, a process that added significantly to the operational disruption caused by the breach.

What is Scattered Spider and how is it connected to the case?

Both Jubair and Flowers were linked to Scattered Spider, an online criminal collective believed to be responsible for a string of high-profile cyberattacks in recent years, including breaches at British retailers Marks & Spencer and the Co-op. The group has been associated with sophisticated social engineering techniques, such as impersonating employees to trick IT help desks into resetting passwords, a method mirrored in the TfL attack.

NCA cybercrime boss Paul Foster said outside court on Wednesday that Scattered Spider was

“responsible for some of the most serious and damaging cyberattacks affecting the UK and countries around the world.”

He added:

“As a result of this investigation, that threat has been significantly disrupted and degraded.”

What other cyberattacks were the pair involved in?

Beyond the TfL breach, Owen Flowers admitted to two further counts of hacking into US-based organisations, Sutter Health and SSM Health Care Corporation. The court heard that when the NCA raided Flowers’ home on 6 September 2024 as part of its investigation into the TfL attack, officers found him actively carrying out these separate intrusions into the American healthcare providers’ systems at the time.

Thalha Jubair, meanwhile, had a prior record as a juvenile, having previously been convicted over cyberattacks targeting US chipmaker Nvidia. He had also admitted separately to hacking the City of London Police force, adding to a pattern of offending that prosecutors said stretched back several years before the TfL attack.

What did investigators say about the case?

Paul Foster of the NCA described the prosecution as

“the largest criminal prosecution of cyber offenders in UK history,”

underlining the scale and significance of the case within Britain’s ongoing efforts to combat organised cybercrime. Foster’s comments, delivered outside Woolwich Crown Court, framed the sentencing as a major milestone in disrupting networks such as Scattered Spider, which investigators believe continue to pose a significant threat to organisations across the UK and internationally.
Explore More about Crime:
South London Burglars Jailed for Stealing £1m Weight-Loss Drugs
Murder Investigation Launched After Three Found Dead in Great Denham

What happened to Owen Flowers while he was in custody?

In a further development highlighted during proceedings, the court heard that while remanded in custody awaiting sentencing, Flowers managed to gain access to online tools and used them in an attempt to hack into multiple international government domains. The detail underscored concerns raised by prosecutors about the pair’s persistence and capability, even after their arrest and while held within the justice system.

What has been the wider reaction to the sentencing?

The case has drawn significant attention because of the scale of the data breach and the youth of those responsible. Judge Turner’s remarks about “selfish bravado” as a motivating factor, rather than purely financial reward, have been seen as reflecting a broader pattern among some younger cybercriminals linked to groups such as Scattered Spider, who are often drawn to hacking for status within online criminal communities as much as for profit.

Paul Keleher’s submission on Jubair’s behalf, describing a childhood trajectory from being a gifted young coder to being groomed by older criminals, added a further dimension to the sentencing, with the judge acknowledging this history while still concluding that Jubair’s conduct in the TfL attack marked a shift towards him acting as a principal offender rather than merely a exploited participant.

For TfL, the case brings a degree of closure to an episode that disrupted services for three months and required a costly rebuild of parts of its digital systems, even as the organisation and law enforcement agencies continue to grapple with the broader threat posed by loosely organised, technically sophisticated hacking collectives operating internationally.