Flowers, Jubair Plead Guilty to £39 Million TfL Hack as NCA Seeks New Powers
Updated
Updated · bbc.co.uk · Jun 25
Flowers, Jubair Plead Guilty to £39 Million TfL Hack as NCA Seeks New Powers
3 articles · Updated · bbc.co.uk · Jun 25
Summary
Owen Flowers, 18, and Thalha Jubair, 20, admitted carrying out the 2024 cyber-attack that crippled Transport for London, disrupted services for months and forced all 28,000 staff to reset passwords in person.
Millions of passengers' personal data was affected, and the case has exposed how both men had been known to police for years before the breach despite repeated interventions.
Flowers was visited by regional cyber-crime officers in 2023 and given a cease-and-desist order, but later escalated his activity with Scattered Spider; investigators also found evidence tying him to hacks on two US healthcare groups.
Jubair had already received a Youth Rehabilitation Order linked to Lapsus$ offences and has 22 previous convictions; both men are also wanted in the US, where prosecutors allege cyber-crimes tied to $87 million in theft and extortion.
The National Crime Agency said the case shows why it wants proposed Cyber Crime Risk Orders, which would let courts restrict high-risk suspects earlier; sentencing is set for July 16.
With millions in crypto and failed rehabilitation, can any sentence truly stop the next generation of teen hackers?
Could President Trump's new cyber strategy dismantle the global networks that empower young UK hackers?
As hackers breach critical infrastructure, is restorative justice more effective than prison for neurodivergent youth?
The £39 Million TfL Hack: Attackers, Impact, and the Urgent Overhaul of UK Cybercrime Laws
Overview
In late 2024, Thalha Jubair and Owen Flowers launched a sophisticated cyberattack on Transport for London (TfL) by exploiting identity-based weaknesses, leading to a severe loss of trust in TfL’s internal systems. This forced all 30,000 employees to undergo in-person identity verification and password resets. The attack caused tens of millions of pounds in losses, disrupted staff access to internal systems, delayed customer refunds, and exposed personal data of over seven million customers. Both attackers pleaded guilty in 2026, highlighting the urgent need for stronger cybersecurity measures and legal reforms to protect critical infrastructure.