TfL hackers jailed after £39m breach exposes 7m people
The jailing of two teenagers for a devastating cyberattack on London’s transport network highlights the critical vulnerability of European public infrastructure to basic social engineering.
Two teenage hackers have been sentenced to five and a half years in prison for a cyberattack that paralysed parts of London’s transport network and compromised the data of seven million people. Thalha Jubair, 20, and Owen Flowers, 19, gained unfettered access to Transport for London’s (TfL) systems over four days in late August and early September 2024. The breach ultimately cost the publicly funded transport authority £39 million.
For European infrastructure operators and municipal governments, the case underscores a stark vulnerability. The attack did not rely on sophisticated ransomware, but on a simple phone call. An unnamed co-conspirator tricked a TfL helpdesk worker into resetting an employee's authentication credentials, handing the hackers a gateway into the network.
Once inside, the pair escalated their privileges to create a "domain admin" account described in court as the "keys to the kingdom". While main tube and bus services kept running, the practical fallout was immediate. The TfL Go app lost live arrival data, Oyster and contactless payment systems froze, and a dial-a-ride service for disabled passengers was knocked offline. TfL chief Andy Lord called it the worst incident of his career, noting the attack could have caused "catastrophic damage".
A profitless but destructive breach
Despite the scale of the disruption, the attack was driven by ego rather than financial extortion. Mr Justice Turner sentenced the pair, stating they were "primarily motivated by selfish bravado, heedless of the severe consequences to others".
However, the hackers were not amateurs in terms of criminal accumulation. Flowers held $7.1 million in crypto assets, while $200 million moved through Jubair’s accounts. These funds were proceeds linked to the wider activities of their hacking collective, Scattered Spider, rather than the TfL breach itself.
Scattered Spider has been linked to numerous high-profile hacks globally, making its disruption a significant win for law enforcement. The National Crime Agency said the convictions had "effectively halted the group’s criminal activity." Flowers was also sentenced for hacking two US healthcare providers.
The fact that two isolated teenagers communicating via Telegram could force Europe’s largest municipal transport network to physically pull the plug on its own systems to prevent total shutdown serves as a warning. It demonstrates that the weakest link in critical urban infrastructure often remains human, not technological.