Circuit Wire — a daily news update from The Circuit.
Thalha Jubair, 19, and Owen Flowers, 18, were sentenced to five and a half years in prison each on July 16 at Woolwich Crown Court for a 2024 cyberattack on Transport for London, the National Crime Agency said. Both pleaded guilty in June, the day their trial was due to start.
The pair broke into TfL's network between August 31 and September 3, 2024, disabling more than 140 systems and forcing all 27,000 TfL employees into an office for in-person password resets. The National Crime Agency and Crown Prosecution Service put TfL's losses and recovery costs at £29 million. Prosecutors said chats between the pair suggested they intended to disable TfL's systems entirely, a step that could have cost the UK economy billions more had it succeeded.
The attack disrupted the Dial-a-Ride booking service for vulnerable Londoners, delayed a planned expansion of contactless ticketing, and closed applications for children's discounted Oyster cards. TfL later said the breach exposed names, email addresses, and in some cases home addresses, along with bank account and sort code details tied to roughly 5,000 Oyster refund accounts.
Investigators linked Flowers to a remote server used in the TfL attack through devices seized at his home, including a laptop holding videos of Jubair navigating TfL systems during the breach. Evidence tying Jubair to the attack was gathered with help from prosecutors overseas.
Both men were charged under Section 3ZA of the UK's Computer Misuse Act, its most serious provision, which covers acts that recklessly create a significant risk of serious damage. The Crown Prosecution Service said the two are believed to be the first hackers successfully prosecuted under that section.
Flowers was arrested on September 6, 2024, while investigators say he was mid-attack against two US healthcare providers, SSM Health and Sutter Health. He pleaded guilty to additional charges tied to both intrusions after threatening in encrypted chats to disrupt hospital systems.
NCA Deputy Director Paul Foster called the case "the largest cyber crime prosecution ever brought before the UK courts." Investigators tie Jubair and Flowers to Scattered Spider, a group blamed for hundreds of attacks on companies and government agencies since 2022.
Want a weekly roundup of the major stories shaping the security industry? The On The Circuit newsletter is read by more than 12,000 protection professionals.
Spotted something we should cover? Send tips and feedback via circuit-magazine.com.

