Index  ›  crime  ›  New Dispatch

Hackers jailed for five years for cyber attack on TfL network that cost around £29m

New Dispatch Published Jul 16, 2026 Reviewed Jul 17, 2026 ✓ Reviewed by citations.press editors
Hackers Thalha Jubair and Owen Flowers, aged 20 and 18 respectively, were sentenced to five years and six months in prison each after pleading guilty to breaching Transport for London’s systems in 2024, with a 15 per cent reduction applied for their guilty pleas.
5.5 years · Thalha Jubair5.5 years · Owen Flowers15 % · Thalha Jubair15 % · Owen Flowers
Hackers Thalha Jubair and Owen Flowers caused Transport for London an estimated £29 million in costs following a cyber attack carried out between August 31 and September 3, 2024.
29000000 GBP · Transport for London
Following their arrest, Thalha Jubair and Owen Flowers were found to have attempted to hack two US healthcare providers, SSM Health and Sutter Health, before being apprehended on September 6, 2024.
Prosecutor Mark Fenhalls KC stated the hackers risked losing £56 billion from the UK economy due to the transport service degradation and disruption caused by their cyber attack on Transport for London.
56000000000 GBP · UK economy
Thalha Jubair and Owen Flowers were members of the Scattered Spider cybercrime group, which has been linked to major attacks on Marks & Spencer, the Co-op, and Jaguar Land Rover in 2023.

Two young hackers have been jailed for five-and-a-half years after admitting to breaching Transport for London’s systems in a cyber attack that caused disruption across the network.

Thalha Jubair and Owen Flowers, now aged 20 and 18, gained access to TfL’s internal systems via the dark web in 2024, with the incident costing the transport authority an estimated £29million and affecting services for months.

Prosecutors described the pair as “experienced and talented” hackers, and said they were members of the notorious Scattered Spider cybercrime group, which has been linked to major attacks on M&S, Co-op and Jaguar Land Rover last year.

Jubair and Flowers both pleaded guilty shortly before their trial was due to begin last month, having previously denied the charges.

Judge Mr Justice Turner sentenced both men to five years and six months in prison, with each receiving a 15 per cent reduction for their guilty pleas.

As a result of the hack, TfL was forced to “pull the plug” on its systems at a huge cost.

Data from the Oyster refund system was accessed, contactless systems were delayed and applications for Oyster photo cards for children and young people were shut down.

The hack also meant all of TfL’s employees had to attend an office to reset their passwords.

During the hearing, prosecutor Mark Fenhalls KC said the pair risked losing £56billion from the UK economy through what TfL said was “significant and extend transport service degradation and disruption.”

TfL said: “Such widespread disruption would have had a serious impact on the travelling public, including for those accessing education, healthcare and other essential services, and London’s economy.”

The hack was carried out between August 31 and September 3, 2024.

They worked through the night for 16 hours to gain access to the network, with Flowers live-streaming the hack.

Some of the videos from the hack were recovered when he was arrested on September 6, three days after the incident.

Using remote servers allowed them to conceal the origin of the attack, while they also used virtual machines within the TfL system to destroy evidence.

Jubair’s barrister Paul Keleher KFC described him as a “modern day Oliver Twist” who had been groomed from a young age to be used for hacking.

Flowers’ barrister, Adam Davis KC, told the court his client was an “immature child trying to show off online”.

However, prosecutors said that when his laptop was seized after his arrest, it was being used in attempts to hack two US healthcare providers, SSM Health and Sutter Health.

The court heard those attacks were only prevented because of the “fortuitous timing” of his arrest. Flowers is wanted in the US, although he is not believed to currently be facing extradition proceedings.

After being remanded in custody in September 2025, Flowers was found to have purchased two “unlawful phones” while in prison and searched for login details linked to the Ministry of Justice, Wandsworth Prison staff and the Crown Prosecution Service.

This article was originally published by New Dispatch ↗. citations.press indexes the source-backed facts above and links to the original. Something wrong? Corrections policy · Report an error