TfL hackers caused £39m losses after cyberattack on London’s transport network
Thalha Jubair, 20, and Owen Flowers, 18, conducted an “extremely serious hack” on TfL’s online network which could have done “catastrophic damage” between August 31 and September 3 2024.
The hack also meant all of TfL’s more than 27,000 employees were forced to attend an office to reset their passwords.
The pair who conducted the “multi-day intrusion” appeared at Woolwich Crown Court on Wednesday after admitting their roles in the hack.
Data from the Oyster refund system was accessed, contactless systems were delayed, and applications for Oyster photocards for children and young people were closed down.
The defendants were tied to a group known as Scattered Spider.
Mark Fenhalls KC, prosecuting, said: “These two young men are highly skilled with computers and capable of wreaking havoc and you may think wholly indifferent to the consequences for the public and the potential suffering and costs to others.”
Along with the £29 million in damages from disruption to services and operational work, TfL claims the incident cost £10 million in lost income.
The hackers worked through the night for 16 hours to access the TfL systems after tricking the helpdesk into resetting a password for them, the court heard.
They then logged on to Microsoft Azure and began “using TfL’s own systems to hack itself” as they moved up through the system.
“They are both experienced and talented hackers who were together in concert with others to attack TfL,” said Mr Fenhalls.
The prosecution added that the hackers “could have shut out and shut down TfL completely” as they eventually had the “highest privileged access” in the system, known as “the keys to the kingdom”.
A TfL victim impact statement read out in court said: “It is possible that access could have been sufficient to enable the actor to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption.
“Such widespread disruption would have had a serious impact on the travelling public, including for those accessing education, healthcare and other essential services, and London’s economy.”
Flowers also livestreamed Jubair as he conducted the hack, and some of the videos were recovered when he was arrested three days later on September 6.
The pair were in constant contact during the attack, and spoke about “nuking access” to the servers on their way out.
Mr Fenhalls said: “They were utterly reckless about the consequences of hacking TfL, the transport network and the communications for the country.
“It only came to an end because TfL threw them out rather than they chose to stop.”
Together they used remote servers to conceal the origin of the attack, created virtual machines within the TfL system to destroy evidence of the attack, downloaded millions of lines of data from their systems, and created multiple back doors within TfL’s system, the court heard.
The prosecution underlined a potential loss of billions to the UK if the hackers had locked or destroyed the central TfL system.
“This is hacking of the most serious sort with the ability to do remarkable levels of damage,” said Mr Fenhalls.
Defending Jubair, Paul Keleher KC compared his client to a “modern day Oliver Twist” who had been groomed from a young age to use his skills for hacking.
He said: “They recruited young children to use their nimble fingers and nimble feet to steal from people.”
Mr Justice Turner said: “There’s no Fagan in this case, it’s a Faganless crime.”
The judge added: “He has an audience but he doesn’t have a puppet master, he’s promoted himself to an instigator and perpetrator.”
Jubair was sentenced last year for 22 offences including hacks on individuals, telecoms businesses and the City of London Police system.
On behalf of Flowers, who was 17 when he conducted the hack, Adam Davis KC described his client as an “immature child trying to show off online”.
When Flowers was arrested in September 2024, his laptop was found in the process of hacking two US healthcare systems.
Those hacks were only stopped because of the “fortuitous timing” of his arrest, the court heard.
The defendants were both placed on remand just over a year after the hack took place in September 2025.
Flowers managed to purchase “unlawful phones” in prison and search for logins to the Ministry of Justice, HMP Wandsworth staff, and the CPS, the court heard.
“Mr Fenhalls said: “Whilst in prison Flowers has used online tools used for purchase of breached credentials. It also indicates attempts to access multiple government domains.”
Both men admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage.
Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems.
Mr Justice Turner will pass sentence on the hackers at 11.30am on Thursday.

Deputy Editor
Read more similar news:
Comments:
comments powered by Disqus