Two Scattered Spider Hackers Jailed for Attacking Transport for London

Owen Flowers, 18, and Thalha Jubair, 20, each received five-and-a-half years after pleading guilty to a 2024 attack that stole data on up to 10 million customers and cost TfL £29 million to recover from.

ThreatVectr Newsdesk· 3 min read
A digital lock breaking open over a map of Lithuania, symbolizing a data breach
Share

Key points

  • Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five years and six months at Woolwich Crown Court in 2025.
  • The pair broke into Transport for London's systems on 31 August 2024, starting at 5 p.m. and streaming the 16-hour attack online.
  • Personal data belonging to as many as 10 million TfL customers was stolen; BBC Technology first reported that this database is still circulating in criminal forums.
  • TfL says the attack cost it £29 million, forced all 27,000 staff to reset passwords in person, and knocked out 148 technology systems.
  • Jubair faces a separate US extradition request linked to alleged ransoms totalling $115 million paid to him and associates.

At 5 p.m. on a Saturday in August 2024, two teenagers began hacking into Transport for London's computer systems. They filmed themselves doing it and shared the stream online.

The method was simple. They called TfL's phone helpdesk and pretended to be a member of staff. The helpdesk worker, following normal procedure, reset the employee's password. That reset handed the criminals the keys to TfL's internal systems.

This is known as social engineering, where attackers talk their way past security rather than breaking through it with code. No exotic software flaw was needed. A convincing phone call was enough.

How did two teenagers pull this off?

They were well-practised. Jubair, now 20, was first arrested at age 14 and had 22 previous convictions for hacking, fraud and harassment before this case. He had earlier received a Youth Rehabilitation Order for hacking with Lapsus$, a criminal group that previously targeted companies including Nvidia and BT. Flowers, now 18, had been handed a cease-and-desist order for minor cyber offences at 16. When officers arrested him in September 2024, they found him mid-attack on two US healthcare providers. Messages recovered by police show him joking that the healthcare hacks might be "killing a 90-year-old on life support." Police seized around £1 million in cryptocurrency from Flowers alone.

Both men were members of Scattered Spider, a loosely connected group of young, English-speaking hackers linked to attacks on Marks and Spencer, the Co-op and dozens of other organisations.

Once inside TfL's network, the pair searched a database of Oyster card holders, the accounts Londoners use to pay for tube and bus travel, looking up the personal details of celebrities. They then attempted to reach banking information. The stolen data covers names, addresses, email addresses, Oyster card refund data and some bank account details.

TfL's IT team eventually stopped the attack by logging every member of staff out of every system and cutting TfL's network from the internet entirely. The National Crime Agency (NCA) had tipped TfL off to the breach. Even so, 148 systems went offline, Dial-a-Ride services for disabled Londoners were badly disrupted, and the recovery bill reached £29 million.

While awaiting trial in prison, both men were found with hidden phones. Recovered messages show them planning further attacks.

Cybersecurity analyst Allison Nixon argued after sentencing that the sentences alone would not deter others. "Policymakers need to address this as a violent youth gang problem," she said.

If you have an Oyster card or a TfL account, here is what to do. Check your bank and payment card statements for charges you do not recognise. If you use the same password for TfL anywhere else, change it. Be cautious of emails or texts claiming to be from TfL asking you to click a link or confirm details.

© 2026 Threat Vectr