ByGreta RuffinowithAFP
Published on
A UK court on Thursday sentenced two young men to prison over a 2024 cyberattack on London’s public transport operator that exposed the personal data of millions of customers in one of Britain’s largest data breaches.
ADVERTISING
ADVERTISING
Thalha Jubair, 20, from east London, and Owen Flowers, 18, from England’s West Midlands, were each sentenced to five-and-a-half years in prison at Woolwich Crown Court in London.
The pair pleaded guilty last month to hacking Transport for London’s (TfL) network between 31 August and 3 September 2024, gaining access to the names and contact details of around seven million customers.
“Two men have been convicted for launching a cyber attack on Transport for London which cost tens of millions of pounds in losses and impacted thousands of customers,” the City of London Police, wrote on X.
According to Judge Mark Turner, the attack did not disrupt transport services but left parts of TfL’s systems offline for three months, costing the organization around £25 million (€29.3 million).
Turner said the pair’s actions had caused “very serious” disruption and were motivated primarily by “selfish bravado”.
How did the hackers breach TfL’s network?
According to prosecutor Mark Fenhalls, the pair gained access to the transport network using TfL employee credentials found on “russianmarket”, a dark web marketplace for stolen logins.
The pair worked for 16 straight hours, communicating via the messaging app Telegram throughout the night, to breach the system after convincing the helpdesk to reset an employee’s password.
During the intrusion, the teenagers searched the network for celebrities’ travel histories and attempted to access customers’ payment information.
After gaining additional privileges over several days, the hackers effectively held “the keys to the kingdom”, giving them “control over the whole network”, Fenhalls said.
During the intrusion, Flowers told Jubair that “the government deserves to be hacked”, the court heard, as TfL and authorities, who discovered the attack on September 1, 2024, took days to regain control of the network.
“Experienced and talented”
Both men were linked to Scattered Spider, a cybercrime group believed to be behind a string of high-profile attacks, including those targeting British retailers Marks & Spencer and the Co-op.
Arrested in September 2025 following a National Crime Agency (NCA) investigation, prosecutors described the pair as “experienced and talented” hackers who had been known to police for years.
Flowers also admitted hacking US-based healthcare providers Sutter Health and SSM Health Care Corporation. The NCA said officers found him carrying out those attacks when they raided his home on 6 September 2024 as part of the TfL investigation.
Jubair had previously been convicted as a juvenile over cyberattacks targeting US chipmaker Nvidia and also admitted hacking the City of London Police.