6

To play this video you need to enable JavaScript in your browser. This video can not be played Figure caption, Watch: The moments the men are arrested for their role in the cyber-attack By Joe Tidy Cyber correspondent, BBC World Service Published 16 July 2026, 11:50 BST Updated 2 minutes ago Two men who carried out a cyber-attack which crippled Transport For London (TfL) when they were teenagers have both been sentenced to five years and six months in prison. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty in June to carrying out the hack in 2024. They were described as computer-obsessed loners who carried out the hack as part of the cyber crime collective known as Scattered Spider. The cyber-attack disrupted TfL's online services for months, stole the personal data of millions of people and left all 27,000 TfL employees needing to reset their passwords in person. Woolwich Crown Court heard the criminals streamed their 16 hour long cyber-attack online. The National Crime Agency (NCA) said the rise of young hackers in the UK as one of the biggest threats to the nation's cyber security. Flowers was 17 and Jubair was 18 when they hacked into the capital's transport authority at 1700 on 31 August. Telegram messages sent between the pair showed them boasting about gaining access to TfL's database of people with Oyster cards. The teens then searched the list for the personal details of London celebrities, before attempting to access banking details. "Scattered Spider is creating webs on the London Underground," Flowers would later joke - referring to the loosely coordinated group of young English-speaking hackers. The group has been linked to dozens of other cyber-attacks including on retailers Marks and Spencer and the Co-op. In the last two years young men and boys have been arrested for Scattered Spider hacks in the UK, US and Finland. Impersonating an employee The TfL hack saw the data of millions of customers stolen in a spree which started on a Saturday night to maximise their chances of not being discovered by staff. As revealed by the BBC , the database is still being shared in criminal groups and contains the details of as many as 10 million TfL customers. Jubair and Flowers who both have autism, gained access to the data by tricking a phone help desk worker. They convinced the person to reset the password of an employee they were impersonating. TfL was alerted to the breach by the NCA and worked to kick the hackers out - but not before the criminals gained the details of millions of people. The transport authority said the hack could have caused widespread disruption had its IT team not stopped the hackers by logging out all staff - and eventually disconnecting TfL systems from the internet. In total, 148 technology systems became inoperable and heavily disrupted services including Dial-a-ride - used by disabled and vulnerable Londoners. TfL says the hack cost it £29m (revised down from £39m previousl
Be respectful and constructive. Comments are moderated.