World

U.K. court jails young hackers for London transport cyberattack

Published: 

A man uses a computer keyboard in this photo illustration. THE CANADIAN PRESS/Graeme Roy

LONDON - A U.K. court on Thursday jailed two young men for a 2024 cyberattack on London’s public transport operator that exposed the details of millions of customers, in one of Britain’s biggest data breaches.

Thalha Jubair, 20, from east London, and 18-year-old Owen Flowers from England’s West Midlands were each handed five-and-a-half-year sentences at London’s Woolwich Crown Court.

The pair pleaded guilty last month to hacking Transport for London’s (TfL) network between Aug. 31 and Sept. 3 2024, gaining access to around seven million customers’ names and contacts.

Sentencing the men, judge Mark Turner said their actions had caused “very serious” disruption and were motivated primarily by “selfish bravado.”

The attack, discovered on Sept. 1 2024, did not affect transport on its networks but knocked TfL’s services offline for three months, costing the organisation around £25 million (US$33 million), according to revised calculations.

With the level of control they achieved over multiple days in the system, prosecutors said the British pair “could have shut down TfL completely” and potentially caused “catastrophic damage.”

Both men are linked to Scattered Spider, an online criminal collective believed to be behind a string of high-profile cyberattacks, including on British retailers Marks & Spencer and the Co-op.

Arrested in September 2025 following a National Crime Agency investigation, the pair were described by prosecutors as “experienced and talented” hackers who had been known to police for years.

Flowers also admitted to two counts of hacking into U.S.-based organisations, Sutter Health and SSM Health Care Corporation.

Jubair had previously been convicted as a juvenile over cyberattacks targeting U.S. chipmaker Nvidia and admitted to hacking the City of London Police.