TfL cyber attack: Men who livestreamed £29 million hack jailed

Two teenage members of a criminal hacking group who live-streamed themselves carrying out a cyber attack on Transport for London (TfL) that forced them to “pull the plug” on their systems have been jailed.
Thalha Jubair, 20, and Owen Flowers, 18, carried out an “extremely serious hack” on TfL’s online network between August 31 and September 3, 2024, which could have caused “catastrophic damage” to their systems.
The “multi-day intrusion” meant that more than 27,000 of TfL’s employees were forced to attend an office in person to reset their passwords.
At the sentencing hearing on Wednesday, the prosecution said hackers could “shut down TfL completely” because they had the “highest privileged access” to the system known as the “keys to the Kingdom”.
Prosecutor Mark Fenhalls KC said: “These two young men are extremely skilled with computers and capable of wreaking havoc and you may think you are completely indifferent to the consequences for the public and the potential suffering and costs of others.”
Data from the Oyster return system was accessed, there was a delay in contactless systems, and Oyster photo card applications for children and young people were closed.

At Woolwich Crown Court on Thursday, Jubair and Flowers were sentenced to five years and six months in prison.
In a televised sentencing, Mr Justice Turner addressed the defendants and said: “I am satisfied that your actions were essentially motivated by selfish bravado, without regard to the consequences they might have on others.”
The court heard the defendants were linked to Scattered Spider and used the name to communicate with each other at the time of the attack.
TfL claims the incident caused £10 million in lost revenue, as well as £29 million in losses from disruption to services and operational work.
The court heard hackers worked 16-hour nights to gain access to TfL systems after tricking the helpdesk into resetting a password for them.
They then logged into Microsoft Azure and began “using TfL’s own systems to hack itself” as they progressed through the system.
“They are experienced and skilled hackers who acted together with others to attack TfL,” Mr Fenhalls said.
Flowers live-streamed Jubair performing the hack, and some of the videos were recovered when he was arrested three days later on September 6.
The two were in constant communication during the attack, and as they were leaving they talked about “nuclear blocking” access to the servers.

The prosecution said the pair had been “completely reckless about the consequences” and highlighted the potential loss to the UK of billions of dollars if hackers lock down or destroy the central TfL system.
In a victim impact statement read in court on Wednesday, TfL said it believed the hackers had “sufficient access” during the attack to “cause catastrophic damage to many technology systems, which could lead to significant and prolonged transport service disruption and disruption”.
Mr Fenhalls said: “TfL have effectively pulled the plug on their own systems, cutting off all computer connections to the internet.
“That was the only thing they could do at that point to remove the threat from the system and prevent a disaster.”
Paul Keleher KC, defending Jubair, compared his client to a “modern-day Oliver Twist” who was groomed from a young age to use his skills for hacking.
The court heard Jubair was convicted of 22 offenses last year, including attacks on individuals, telecommunications businesses and the City of London Police system.
Adam Davis KC, for Flowers, who was 17 when he carried out the hack, described his client as “an immature kid trying to show off online”.
When Flowers was arrested in September 2024, his laptop was found in the process of hacking two US healthcare systems.
The court heard those hacks were only stopped due to the “fortuitous timing” of his arrest.
Both young men admitted conspiring to commit unauthorized acts in relation to a computer that caused serious damage or created a risk of serious damage.
Flowers also pleaded guilty to two counts of conspiracy to commit unauthorized acts with a computer with intent to cause harm in relation to healthcare systems.
There will be more to this breaking news. Subscriber Here To get the latest updates from The Independent



