Politics Business Culture Technology Environment Travel World
Home Technology Feature
Technology · Exclusive

Two Men Sentenced to Prison for Major Cyberattack on London's Transport Network

Two Men Sentenced to Prison for Major Cyberattack on London's Transport Network
Technology · 2026
Photo · Kai Lindgren for European Pulse
By Kai Lindgren Technology Editor Jul 16, 2026 3 min read

Two young men have been sentenced to five-and-a-half years in prison by a UK court for a major cyberattack on Transport for London (TfL) in September 2024, one of the largest data breaches in British history. Thalha Jubair, 20, from east London, and Owen Flowers, 18, from the West Midlands, pleaded guilty last month to hacking TfL’s network between 31 August and 3 September 2024, gaining access to the names and contact details of approximately seven million customers.

The attack, which did not disrupt transport services, left parts of TfL’s systems offline for three months, according to Judge Mark Turner at Woolwich Crown Court. The judge described the pair’s actions as causing “very serious” disruption, driven primarily by “selfish bravado.” The City of London Police estimated the attack cost TfL around £25 million (€29.3 million) in damages, while TfL itself put the total cost at £29 million (€34 million) in damages and a further £10 million (€11.7 million) in lost income.

How the Hackers Breached TfL’s Network

Prosecutor Mark Fenhalls detailed how the pair used TfL employee credentials found on “russianmarket,” a dark web marketplace for stolen logins. They worked for 16 straight hours, communicating via the messaging app Telegram, to breach the system after convincing the helpdesk to reset an employee’s password. During the intrusion, the teenagers searched the network for celebrities’ travel histories and attempted to access customers’ payment information. After gaining additional privileges over several days, the hackers effectively held “the keys to the kingdom,” giving them “control over the whole network,” Fenhalls said.

The court heard that during the attack, Flowers told Jubair that “the government deserves to be hacked.” TfL and authorities discovered the breach on 1 September 2024 but took days to regain control of the network. The incident forced TfL to reset passwords for around 27,000 employees and prompted a major security overhaul.

Links to Cybercrime Group Scattered Spider

Both men were linked to Scattered Spider, a cybercrime group believed to be behind a string of high-profile attacks, including those targeting British retailers Marks & Spencer and the Co-op. Arrested in September 2025 following an investigation by the National Crime Agency (NCA), prosecutors described the pair as “experienced and talented” hackers who had been known to police for years. Flowers also admitted hacking US-based healthcare providers Sutter Health and SSM Health Care Corporation. The NCA said officers found him carrying out those attacks when they raided his home on 6 September 2024 as part of the TfL investigation.

The case highlights the growing threat of cybercrime to critical infrastructure across Europe. While London’s transport network was the target, similar vulnerabilities exist in other European capitals, from Paris to Berlin, where public transport systems increasingly rely on digital platforms. The attack also underscores the importance of robust cybersecurity measures, especially as cities expand their digital services. For more on how European cities compare in terms of travel and infrastructure, see our analysis of London, Paris, Rome: Which European Capital Offers the Best City Break?

The sentencing comes amid broader concerns about data privacy and cyber resilience in the UK and the EU. The UK’s departure from the EU has not shielded it from cross-border cyber threats, and the case serves as a reminder that cooperation between law enforcement agencies across Europe is essential. The NCA worked closely with the City of London Police and other partners to bring the perpetrators to justice.

For TfL, the attack has prompted a review of its cybersecurity protocols. The organization has since implemented multi-factor authentication and enhanced monitoring systems to prevent future breaches. However, the financial and reputational damage underscores the high stakes of cyberattacks on public services.

More from this story

Next article · Don't miss

Russia-Linked Disinformation Campaign Storm-1516 Behind Fake Hezbollah Bastille Day Threat

A video threatening attacks on Bastille Day in France, purportedly from Hezbollah, has been debunked as fake. Researchers link it to the Russia-linked Storm-1516 influence operation. The clip spread on Telegram, X, and Facebook, gaining nearly one million view

Read the story →
Russia-Linked Disinformation Campaign Storm-1516 Behind Fake Hezbollah Bastille Day Threat