UK Court Sentences Two Hackers to 5.5 Years for Transport for London Cyberattack That Caused £29 Million in Damages

 

Two hackers have been sentenced to five and a half years in prison each for carrying out the 2024 cyberattack on Transport for London (TfL), in what the UK’s National Crime Agency (NCA) has described as the country’s largest cybercrime prosecution to date.
Owen Flowers, 18, and Thalha Jubair, 20, received their sentences at Woolwich Crown Court on July 16, 2026. The duo had pleaded guilty on June 22, 2026, to an offence under Section 3ZA of the Computer Misuse Act 1990, acknowledging they acted recklessly and created a significant risk of serious harm to public welfare.
The cyberattack, which lasted from August 31 to September 3, 2024, severely disrupted TfL’s operations. Around 148 systems were taken offline, forcing all 27,000 employees to report to offices in person to reset their passwords. Authorities estimate the attack resulted in approximately £29 million in financial losses and recovery costs.
Transport for London, which manages nearly 9 million passenger journeys daily, experienced widespread service disruptions. Dial-a-Ride services for vulnerable passengers became unavailable, digital payment systems were affected, concessionary travel card issuance was interrupted, Oyster photocard applications were suspended, and refunds faced significant delays.
The breach also exposed customer information, including names, email addresses, and, where stored, home addresses. Additionally, Oyster refund records containing bank account details and sort codes of approximately 5,000 customers may have been compromised.
According to prosecutors, messages exchanged between the defendants suggested they intended to erase their access before leaving the network. Investigators noted that a complete shutdown of TfL’s systems could have caused economic losses of up to £56 billion. However, those damages were avoided after TfL proactively disconnected its own network to contain the intrusion.
Flowers was arrested on September 6, 2024, just days after the TfL breach ended. The NCA said officers found him actively targeting two U.S. healthcare organisations—SSM Health Care Corporation and Sutter Health—during the arrest.
Authorities recovered multiple digital devices, including laptops, desktop computers, hard drives, and USB storage devices. Evidence included screenshots showing access to TfL infrastructure and videos allegedly recorded by Flowers documenting Jubair’s activity inside TfL systems. Investigators also uncovered Telegram conversations and an online collaboration platform used during the attacks.
The prosecution established that Flowers had access to the remote infrastructure used to launch all three cyberattacks, while evidence connecting Jubair to the TfL breach was obtained through international law enforcement cooperation.
Flowers also admitted to two additional cybercrime offences linked to attacks on the U.S. healthcare organisations. Prosecutors stated that he threatened to lock down healthcare systems while acknowledging in online conversations that it “might kill some 90-year-old on life support.” Authorities said his arrest prevented those attacks from progressing further.
The NCA identified both individuals as senior members of the cybercrime group Scattered Spider, also known as Octo Tempest, UNC3944, and 0ktapus. However, the Crown Prosecution Service (CPS) stated only that the defendants had claimed

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: