HomeWorldUSALatin AmericaEuropeAsiaAfricaTV ShowsShowbizTravelLifestyleOpinionSciencePoliticsHealthSportsTechEntertainmentBusiness
Europe July 16, 2026

TfL hackers livestreaming £29M attack sentenced to 11 years

TfL hackers livestreaming £29M attack sentenced to 11 years

Two teenagers who carried out a major cyber attack on Transport for London have each been sentenced to five and a half years in prison.

Thalha Jubair and Owen Flowers were members of the loosely organised hacking group Scattered Spider when they targeted London’s transport network in 2024.

The attack caused widespread disruption and cost the public purse an estimated £29 million in remediation work.

Undated handout file photo originally issued on 22/06/26 by National Crime Agency of Thalha Jubair , one of two young members of a criminal hacking group who carried out a cyber attack on Transport for London (TfL) that cost the organisation millions of pounds that are facing jail. Jubair, 20, and Owen Flowers, 18, hacked TfL's online network, resulting in a ?39 million loss, prosecutors previously said. Issue date: Wednesday July 15, 2026. PA Photo. Photo credit should read: NCA/PA Wire NOTE TO EDITORS: This handout photo may only be used for editorial reporting purposes for the contemporaneous illustration of events, things or the people in the image or facts mentioned in the caption. Reuse of the picture may require further permission from the copyright holder.

Sentencing at Woolwich Crown Court, the judge said the offending was so serious that immediate custody was unavoidable, despite the defendants’ youth and neurodiversity.

The court heard the pair were part of a gang linked to dozens of high-profile attacks on major retailers and institutions.

Targets included a major car manufacturer, a national retailer, and a supermarket chain, with combined losses running into the billions.

One retailer shut down its systems on Easter Sunday and remained offline for six weeks, incurring around £300 million in costs.

Another saw payments disrupted and shelves left empty after personal data of members was stolen.

Prosecutors described the Transport for London attack as an unprecedented assault on critical national infrastructure.

Empty shelves in the branch of the Co-op in Manchester following the major cyber attack. The Manchester-based group said it is working closely with suppliers to restock its stores after the hack caused significant disruption across its retail chain and led to bare shelves in many of its shops. Picture date: Friday May 16, 2025. PA Photo. Photo credit should read: Danny Lawson/PA Wire

The hackers gained administrative rights to a central system, creating a potential consequential loss of £56 billion to the UK economy had data been destroyed.

The breach took place over four days in late August and early September 2024.

During the attack, the defendants boasted on a hacking forum and were recorded filming themselves as they worked.

Undated handout file photo originally issued on 22/06/26 by National Crime Agency of Owen Flowers, one of two young members of a criminal hacking group who carried out a cyber attack on Transport for London (TfL) that cost the organisation millions of pounds that are facing jail. Thalha Jubair, 20, and Flowers, 18, hacked TfL's online network, resulting in a ?39 million loss, prosecutors previously said. Issue date: Wednesday July 15, 2026. PA Photo. Photo credit should read: NCA/PA Wire NOTE TO EDITORS: This handout photo may only be used for editorial reporting purposes for the contemporaneous illustration of events, things or the people in the image or facts mentioned in the caption. Reuse of the picture may require further permission from the copyright holder.

At one stage, they worked continuously for 16 hours to maintain access to the network.

Flowers also admitted hacking two US healthcare companies and warned an associate that locking systems could risk lives on life support.

Both defendants had prior histories of cyber-related offending before the Transport for London attack.

Flowers was served with a cease and desist notice at 16 over false emergency calls but declined rehabilitation.

At arrest, he controlled more than $7 million in assets including cryptocurrency despite having no income.

Jubair had previously hacked telecommunications and technology firms and had 22 prior convictions.

He was under a youth rehabilitation order at the time of the attack and is wanted in the United States, where he faces decades in prison.

Both men have been diagnosed with autism, and Jubair also lives with depression and a severe mood disorder.

Each pleaded guilty to conspiracy to commit unauthorised computer acts causing serious risk to human welfare.

Share this article

UMVA MAG

UMVA Mag is your trusted source for breaking news, in-depth analysis, and compelling stories from around the world. Covering politics, business, technology, entertainment, sports, health, science, and more — we deliver journalism that matters.

Independent, Accurate, Unbiased
24/7 Breaking News Coverage
Trusted by Millions Worldwide