Two young men responsible for a major cyberattack on Transport for London (TfL) caused at least £29 million in damages, a court heard this week. Thalha Jubair, 20, and Owen Flowers, 18, admitted to conducting a multi-day hack on TfL’s online systems between August 31 and September 3, 2024. The breach forced the organisation to suspend its systems, causing widespread disruption and significant financial losses.
The intrusion affected multiple aspects of TfL’s operations, including unauthorized access to data from the Oyster refund system, delays to contactless payment systems, and the temporary closure of applications for Oyster photocards for children and young people. The incident also required all of TfL’s 27,000 employees to attend offices for password resets.
During court proceedings at Woolwich Crown Court in London, prosecutors described Jubair and Flowers as "experienced and talented hackers" who worked together for approximately 16 hours overnight to compromise TfL’s security. They gained access by tricking the organisation’s helpdesk into resetting a password, after which they logged into Microsoft Azure and used TfL’s own systems to further penetrate the network. Prosecutor Mark Fenhalls KC said the defendants achieved "the highest privileged access," sometimes referred to as "the keys to the kingdom," granting them significant control over TfL’s infrastructure.
Prosecution statements stressed the potential scale of the attack, warning it could have caused "catastrophic damage" with serious and extended disruption to London’s transport network, impacting the travelling public. A victim impact statement from TfL outlined the risk of widespread technological damage and service degradation had the hackers not been locked out when they were.
Alongside the £29 million in damages related to disruption and operational impacts, TfL claimed an additional £10 million in lost income due to the hack. The prosecution emphasized the defendants’ recklessness and indifference to the consequences their actions could have had on public services and communications networks.
Jubair and Flowers both pleaded guilty to conspiracy to commit unauthorised acts in relation to a computer, causing or creating risk of serious damage. Flowers also admitted additional counts related to unauthorized access within healthcare systems. Defence lawyers painted differing pictures of the accused: Jubair’s counsel described him as a "modern-day Oliver Twist," suggesting he had been groomed into criminal activity from a young age, while Flowers’ lawyer characterized him as an "immature child trying to show off online."
The pair were reported to have associations with a hacking group known as Scattered Spider. Judge Mr Justice Turner was scheduled to deliver sentencing following the conclusion of the case.
