Two hackers have been sentenced to five and a half years in prison each for carrying out the 2024 cyberattack on Transport for London (TfL), in what the UK's National Crime Agency (NCA) has described as the country's largest cybercrime prosecution to date.
Owen Flowers, 18, and Thalha Jubair, 20, received their sentences at Woolwich Crown Court on July 16, 2026. The duo had pleaded guilty on June 22, 2026, to an offence under Section 3ZA of the Computer Misuse Act 1990, acknowledging they acted recklessly and created a significant risk of serious harm to public welfare.
The cyberattack, which lasted from August 31 to September 3, 2024, severely disrupted TfL's operations. Around 148 systems were taken offline, forcing all 27,000 employees to report to offices in person to reset their passwords. Authorities estimate the attack resulted in approximately £29 million in financial losses and recovery costs.
Transport for London, which manages nearly 9 million passenger journeys daily, experienced widespread service disruptions. Dial-a-Ride services for vulnerable passengers became unavailable, digital payment systems were affected, concessionary travel card issuance was interrupted, Oyster photocard applications were suspended, and refunds faced significant delays.
The breach also exposed customer information, including names, email addresses, and, where stored, home addresses. Additionally, Oyster refund records containing bank account details and sort codes of approximately 5,000 customers may have been compromised.
According to prosecutors, messages exchanged between the defendants suggested they intended to erase their access before leaving the network. Investigators noted that a complete shutdown of TfL's systems could have caused economic losses of up to £56 billion. However, those damages were avoided after TfL proactively disconnected its own network to contain the intrusion.
Flowers was arrested on September 6, 2024, just days after the TfL breach ended. The NCA said officers found him actively targeting two U.S. healthcare organisations—SSM Health Care Corporation and Sutter Health—during the arrest.
Authorities recovered multiple digital devices, including laptops, desktop computers, hard drives, and USB storage devices. Evidence included screenshots showing access to TfL infrastructure and videos allegedly recorded by Flowers documenting Jubair's activity inside TfL systems. Investigators also uncovered Telegram conversations and an online collaboration platform used during the attacks.
The prosecution established that Flowers had access to the remote infrastructure used to launch all three cyberattacks, while evidence connecting Jubair to the TfL breach was obtained through international law enforcement cooperation.
Flowers also admitted to two additional cybercrime offences linked to attacks on the U.S. healthcare organisations. Prosecutors stated that he threatened to lock down healthcare systems while acknowledging in online conversations that it "might kill some 90-year-old on life support." Authorities said his arrest prevented those attacks from progressing further.
The NCA identified both individuals as senior members of the cybercrime group Scattered Spider, also known as Octo Tempest, UNC3944, and 0ktapus. However, the Crown Prosecution Service (CPS) stated only that the defendants had claimed affiliation with a group investigators believe was responsible for hundreds of cyberattacks between 2022 and 2025. The FBI has linked the group to data extortion, SIM swapping, and social engineering campaigns.
While authorities have not disclosed the exact method used to compromise TfL's network, Google has recommended strengthening identity verification procedures during password resets, device enrolment, and MFA changes to defend against such attacks.
Paul Foster, head of the NCA's National Cyber Crime Unit, urged organisations to contact law enforcement as soon as they detect cyber incidents, noting that the successful prosecution would likely not have been possible without TfL's prompt reporting.
Following the sentencing, the City of London Police also renewed calls for the introduction of Cyber Crime Risk Orders, which would allow courts to impose restrictions on offenders' access to digital devices, online services, and technology based on the level of cyber risk they pose. Commander Ollie Shaw described the proposed measures as a "digital prison" for cyber offenders. The two convicted hackers were 17 and 18 years old when the offences were committed.