Two young cyber criminals who caused almost £29 million of damage after hacking Transport for London have been jailed following what prosecutors described as the UK’s largest-ever cyber crime prosecution. Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall, admitted carrying out a sophisticated cyber attack against Transport for London (TfL) between August 31 and September 3, 2024. The pair were sentenced at Woolwich Crown Court on Thursday, July 16, after pleading guilty to offences under the Computer Misuse Act. Jubair was jailed for five-and-a-half years, while Flowers also received a custodial sentence after both admitted their roles in the attack and being leading members of the notorious cybercrime group Scattered Spider. The National Crime Agency (NCA) said the breach caused an estimated £29 million of damage and severely disrupted TfL’s operations. Around 27,000 employees were forced to reset their passwords, while 148 internet systems were affected. The hackers also targeted TfL’s customer refund system, causing delays for passengers, disrupted applications for children’s Oyster photocards, affected concessionary travel services and the Dial-a-Ride booking system for vulnerable Londoners, as well as delaying the rollout of expanded contactless ticketing. Investigators warned the consequences could have been far worse. Had the attack succeeded in shutting down London’s transport network entirely, the estimated economic impact could have reached £56 billion. The pair were arrested at their home addresses on September 16, 2024. During searches of Flowers’ home, officers seized laptops, computer towers, hard drives and USB devices, along with evidence including screenshots showing access to TfL’s internal systems. Videos recovered by investigators also showed Jubair accessing TfL infrastructure during the attack. Flowers had already been under investigation after allegedly targeting healthcare companies in the United States, while Jubair was additionally charged with failing to disclose passwords for devices seized by investigators. Both defendants changed their pleas to guilty on June 22 this year, the day their trial was due to begin.
NCA: ‘Most significant cybercrime threat’
Paul Foster, Deputy Director and Head of the NCA’s National Cyber Crime Unit, described the case as a landmark prosecution. He said: “This is the largest cyber crime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS and our policing partners. “Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice. “The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK’s critical infrastructure.” He praised TfL for working closely with investigators, adding that organisations should report cyber attacks to law enforcement as early as possible.
Calls for tougher powers
Following the case, City of London Police renewed calls for proposed Cyber Crime Risk Orders, which would allow courts to impose restrictions on convicted cyber offenders’ use of technology after release. Commander Ollie Shaw said the measures could create a form of “digital prison”, limiting access to devices, online services and technologies commonly used to commit cyber crime. Security Minister Dame Angela Eagle said the case highlighted the growing threat posed by cyber criminals. She said: “This shocking case shows the very serious threat that cyber criminals pose to our security and prosperity. “This should send a clear message to anyone planning illegal cyber activity that there will be consequences when you are caught.” The Government says new cyber security legislation and a National Cyber Action Plan are being developed to strengthen the UK’s resilience against future attacks.