Key Points
- Severe Prison Sentences: Two teenagers associated with the infamous “Scattered Spider” hacking syndicate have each been sentenced to five years and six months in prison.
- Massive Financial Impact: The cyberattack cost Transport for London (TfL) an estimated £29 million in direct system damages and mitigation, with an additional £10 million lost in revenue, bringing the total economic impact to £39 million.
- Widespread Infrastructure Disruption: The breach crippled London’s transit system, disabling the Dial-a-Ride booking service for disabled and elderly passengers, halting Oyster card registrations and applications, and disrupting digital payments and customer refund systems.
- Unprecedented Prosecution: This case represents the first successful, landmark conviction in the United Kingdom under Section 3ZA of the Computer Misuse Act (CMA), which prosecutes unauthorised computer acts that risk serious damage to human welfare.
- US Healthcare Sabotage Thwarted: One of the defendants also pleaded guilty to attempts to hack two major US healthcare networks, showing a reckless disregard for patient lives.
- Critical Mitigation: Disasters were only averted because TfL promptly collaborated with law enforcement and took the extreme step of “pulling the plug” on its entire digital network.
London (The Londoner News) July 16, 2026 – Two key members of the notorious “Scattered Spider” cybercrime syndicate have been sentenced to five years and six months in prison each following a catastrophic cyberattack on Transport for London (TfL). The sentencing, handed down today at Woolwich Crown Court by Mr Justice Turner, marks the culmination of a landmark joint investigation by the National Crime Agency (NCA) and the City of London Police (CoLP). The young hackers, Thalha Jubair, 20, of East London, and Owen Flowers, 18, of Walsall, West Midlands, had earlier pleaded guilty on the first day of what was scheduled to be a complex six-week trial.
- Key Points
- How Did the Hackers Exploit the TfL Help Desk?
- What Was the Actual Financial Cost of the Cyberattack?
- Which Public Services and Systems Were Disrupted?
- Why Is This Case Historically Significant for UK Law?
- Did the Hackers Target US Healthcare Systems?
- How Did Police Trace the Teenagers?
- What Do We Know About the Hackers’ Backgrounds?
- What Are the Responses from UK Officials?
The critical breach, which took place between August 31 and September 3, 2024, brought the transport network of the UK’s capital to the brink of collapse. Though the hackers gained the “keys to the kingdom”—highest-tier domain administrator privileges that allowed them to completely nuke system access—they were ultimately stopped when TfL authorities took the radical step of “pulling the plug” on their own servers to protect vital transit infrastructure.
How Did the Hackers Exploit the TfL Help Desk?
As detailed in court proceedings and reported by Dan Milmo and Joe Pinner of The Guardian, the initial breach was executed not through highly advanced software exploits, but via simple human manipulation. A co-conspirator called the TfL IT help desk, masquerading as an employee struggling to log into the network remotely.
The call handler was successfully tricked into resetting the multi-factor authentication protocol. This allowed Jubair and Flowers to immediately bind the employee profile to a device under their control. Once inside, the two teenagers rapidly escalated their digital privileges. According to prosecution statements, they successfully established a “domain admin” account, leaving them with absolute structural control over the entire transport network’s internal systems.
What Was the Actual Financial Cost of the Cyberattack?
While initial estimates focused primarily on IT recovery, the true scale of the financial damage is staggering. As reported by Dan Milmo, the Global Technology Editor for The Guardian, the attack incurred a total cost of £39 million. This was divided into:
- £29 million in direct system damage, forensic investigation, and IT recovery efforts.
- £10 million in direct loss of revenue caused by transactional and ticketing downtime.
Had TfL not reacted rapidly by severing network connectivity, investigators estimated that a complete collapse of London’s transport infrastructure could have cost the United Kingdom’s national economy up to £56 billion.
Which Public Services and Systems Were Disrupted?
While trains and buses continued to run physically, the administrative and transactional infrastructure supporting London’s 10 million commuters was severely damaged.
According to official briefings from the National Crime Agency (NCA):
- Dial-a-Ride Disruption: The specialized booking platform relied upon by vulnerable, disabled, and elderly passengers was completely disabled.
- Password Reset Chaos: TfL was forced to mandate that all 27,000 of its employees physically travel to a secure TfL office to reset their passwords in person.
- App and Web Failures: Live arrival data was wiped from both the TfL Go application and the official website.
- Ticketing and Refunds: Commuters were unable to process payments on Oyster or contactless apps, purchase concessionary travel photocards for children, or request financial refunds.
- Data Theft: The personal data of approximately 7 million passengers—specifically relating to Oyster card refund systems—was accessed and stolen during the four-day heist.
Why Is This Case Historically Significant for UK Law?
This sentencing represents a massive legal milestone in British judicial history. Thalha Jubair and Owen Flowers are the first individuals to be successfully prosecuted and convicted under Section 3ZA of the Computer Misuse Act (CMA).
As clarified in statements published by the NCA:
“Section 3ZA of the CMA is the most serious section as it applies where the unauthorised act causes or creates a significant risk of serious damage, and the person intends or is reckless as to that damage.”
By targeting critical public infrastructure, the prosecution successfully argued that the teenagers acted with extreme recklessness regarding the safety and welfare of millions of daily passengers.
Did the Hackers Target US Healthcare Systems?
The investigation revealed that Owen Flowers’ illicit activities extended far beyond British borders. Following his initial arrest on September 6, 2024, investigators seized an Acer laptop containing damning digital evidence.
According to a press release by Lionel Idan, the Chief Crown Prosecutor for the CPS Serious Economic, Organised Crime and International Law Division (SEOCID):
“Flowers also admitted conspiring to launch cyber-attacks on American not-for-profit healthcare systems SSM Health and Sutter Health.”
The CPS presented chat logs from the messaging application Telegram, in which Flowers acknowledged that locking down the clinical systems of the healthcare providers “might kill some 90-year-old on life support”. Despite this, he attempted to execute the ransomware block anyway.
Furthermore, as highlighted in reporting by Infosecurity Magazine, the US Department of Justice unsealed charges against Thalha Jubair, alleging his participation in over 120 separate corporate network intrusions across 47 US entities, which amassed more than $115 million (£87 million) in ransom demands.
How Did Police Trace the Teenagers?
The joint operation between the NCA’s National Cyber Crime Unit and the City of London Police tracked the duo through digital footprints left across multiple remote channels.
During raids on their homes, officers recovered laptops, external hard drives, and USB devices. Crucially, forensic analysts recovered videos recorded by Flowers on his laptop that directly showed a live feed of Jubair accessing and manipulating TfL’s internal network architecture in real time. Despite having no legal source of income, prior court hearings revealed that Flowers controlled accounts containing up to $7.1 million (£5.4 million) in cryptocurrency assets.
Explore more Local London News:
NHS Expands Pathology Drone Network in South West London, 2026
Camden Council Plans Permanent High Street Car Ban, London 2026
What Do We Know About the Hackers’ Backgrounds?
Defence barristers at Woolwich Crown Court presented deep psychological evaluations for both teenagers, explaining that their online behavior was heavily tied to personal isolation. Both Jubair and Flowers have been diagnosed with autism.
Jubair also suffers from severe clinical depression and mood disorders, and the court heard he had historically attempted suicide after being severely bullied at school. Despite his youth, Jubair had already amassed 22 prior convictions, including blackmail, fraud, and cyber intrusions against BT, EE, and the microchip giant Nvidia. He was actively serving a youth rehabilitation order when he carried out the TfL hack.
Defending Flowers, Adam Davis KC described the 18-year-old as an “immature child trying to show off online,” noting he experienced an incredibly “unsettled childhood” that involved intervention from social services from infancy.
What Are the Responses from UK Officials?
The successful prosecution has drawn strong commentary from political leaders and law enforcement chiefs who hope to use this case as a deterrent.
Furthermore, Commander Ollie Shaw of the City of London Police spoke about future preventative frameworks, advocating for the introduction of Cyber Crime Risk Orders (CCROs).
As stated by Commander Ollie Shaw:
“These proposals are designed to be flexible, so that courts can set restrictions based on the level of risk… This could include limits on devices, online services or technologies… creating a type of ‘digital prison’ for cyber offenders.”
Independent assessments from tech giants, including Microsoft, have confirmed that the prosecution of Jubair and Flowers has severely degraded and effectively halted the operational capacity of the Scattered Spider brand within the UK.