Two Hackers Sentenced to 5.5 Years for £29 Million Transport for London Attack

Owen Flowers, 18, and Thalha Jubair, 20, have each been sentenced to five and a half years in prison for their roles in the 2024 cyberattack against Transport for London (TfL). Woolwich Crown Court im...

Owen Flowers, 18, and Thalha Jubair, 20, have each been sentenced to five and a half years in prison for their roles in the 2024 cyberattack against Transport for London (TfL). Woolwich Crown Court imposed the sentences on 16 July 2026 after both defendants pleaded guilty to a charge under Section 3ZA of the Computer Misuse Act 1990.

The provision covers unauthorized computer activity carried out recklessly, where there is a significant risk of serious damage to human welfare. Prosecutors said the case is believed to be the first successful conviction under the section, while the National Crime Agency (NCA) described it as the UK's second prosecution involving the offense.

Disruption across TfL services

The intrusion took place between 31 August and 3 September 2024 and rendered 148 TfL systems unavailable. The disruption affected Dial-a-Ride, online payments, concessionary travel-card services, Oyster photocard applications, refunds and the planned expansion of contactless ticketing. TfL also required approximately 27,000 employees to reset their passwords in person.

According to the NCA and the Crown Prosecution Service, the incident generated around £29 million in losses and recovery costs. TfL said attackers accessed customer names and email addresses, as well as some home addresses. Data associated with Oyster refunds may also have been exposed, including bank details for roughly 5,000 people.

Investigators said the defendants communicated through Telegram and shared an online workspace while the attack was under way. Flowers was arrested on 6 September 2024, reportedly while conducting separate intrusions against two US healthcare organizations. Devices seized during the arrest contained material linking him to the TfL compromise, including a screenshot of network access and recordings of Jubair navigating TfL systems.

The NCA identifies both men as senior participants in Scattered Spider, also known as Octo Tempest, UNC3944 and 0ktapus. Authorities associate the group with social engineering, SIM swapping, data theft and extortion. Flowers also admitted charges connected to attacks on SSM Health Care Corporation and Sutter Health.

Jubair faces separate, unresolved allegations in the United States concerning numerous intrusions, ransom payments and cryptocurrency transfers. Those claims have not been tested in court. UK authorities said the convictions significantly disrupted Scattered Spider, while warning that other criminals could continue using the group's name and techniques.