Skip to content
Quick exit
  • Cymraeg
  • Reporting SARs
  • CSEA Reporting for Industry
NCA Logo
Protecting the public from serious and organised crime
  • Who we are
    • Our mission
    • Our people
    • Our leadership
    • Governance and transparency
    • Inclusion, diversity and equality
    • Publications
  • What we do
    • What we investigate
    • Border vulnerabilities
    • Bribery, corruption and sanctions evasion
    • Cybercrime
    • Child sexual abuse and exploitation
    • Drug trafficking
    • Illegal firearms
    • Fraud
    • Kidnap and extortion
    • Missing persons
    • Modern slavery and human trafficking
    • Money laundering and illicit finance
    • Organised immigration crime
    • Operation Stovewood: Rotherham child sexual abuse investigation
    • How we work
    • Intelligence: enhancing the picture of serious organised crime affecting the UK
    • Investigating and disrupting the highest risk serious and organised criminals
    • Providing specialist capabilities for law enforcement
    • Supporting victims and survivors
    • National Strategic Assessment for Serious and Organised Crime
    • Underworld: Behind the scenes of the NCA Podcast
  • News
    • All news
  • Careers
    • How to join the NCA
    • Applying and onboarding
    • Current vacancies
    • A day in the life
    • Benefits and support
  • Most Wanted
  • Contact us
    • Officer verification
    • Return of seized property
    • Provide information on serious and organised crime
    • Whistleblowing
    • Complaints
    • Media enquiries
    • Suspicious Activity Reports (SARs)
  1. Home >
  2. News >
  3. Two sentenced for hacking Transport for London in UK’s biggest ever cyber crime case

Share this page:

Share this page:

News

Two sentenced for hacking Transport for London in UK’s biggest ever cyber crime case

  • Cybercrime

Two young men have been sentenced for launching a cyber attack on Transport for London (TfL) which cost tens of millions of pounds in losses and inconvenienced thousands of customers.

Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were identified by the NCA and City of London Police following the infiltration of TfL’s network between 31 August and 3 September 2024.

They both pleaded guilty to the attack last month in what was only the second criminal prosecution of its kind in the UK under the Computer Misuse Act (CMA).

Section 3ZA of the CMA is the most serious section as it applies where the unauthorised act causes or creates a significant risk of serious damage, and the person intends or is reckless as to that damage.

Jubair and Flowers, who were arrested at their home addresses on 16 September last year by the NCA and CoLP, were both leading members of the online criminal collective known as Scattered Spider.

Owen Flowers

Although other cybercriminals may continue to use the damaged Scattered Spider brand, the NCA’s action against Jubair and Flowers effectively halted the group’s criminal activity. Independent assessment supports this, with Microsoft confirming that the arrests materially degraded the group's ability to continue conducting cybercriminal operations.

While swift action by TfL limited the impact, a number of services relied on by the public were disrupted. These included the Dial-a-Ride booking service, which provides transport to vulnerable Londoners, the provision of concessionary travel cards, the digital payments channel and a delay to the extension of contactless ticketing.

All 27,000 of TfL’s employees were forced to attend a TfL office for a password reset and a total of 148 systems became inoperable, including critical ones that required significant manual workarounds and delays. The organisation, which reported the incident to CoLP’s Report Fraud service, suffered a reported £29 million in loss and recovery costs.

However, had the attack succeeded in shutting down the transport network the estimated cost to the UK economy could have been up to £56 billion.

Data from TfL’s Oyster refunds system was accessed and the incident also affected TfL’s customer refund system, leaving some out of pocket for much longer than usual. It also closed down the application system for Oyster photocards for children and young people.

Flowers was initially arrested for the TfL attack on 6 September 2024, at which point he was found to be in the process of hacking the systems of US healthcare companies SSM Health Care Corporation and Sutter Health, which had been infiltrated and damaged.

Investigators found a number of devices at his home including laptops, computer towers, hard drives and USB sticks.

One laptop contained a screen shot showing network connectivity to TfL infrastructure.

Thalha JUBAIR

The laptop also contained a number of videos that Flowers had recorded, showing Jubair accessing TfL systems during the attack. The pair were messaging each other over Telegram at the same time and also communicated via an online tool where multiple participants can work remotely in a common workspace.

Following his initial arrest, Flowers was arrested again for a bail breach relating to non-compliance with conditions concerning his device usage.

Jubair was also charged for failing to disclose the pin or passwords for devices seized from him.

Both individuals changed their pleas to guilty on the day they were due to stand trial at Woolwich Crown Court (22 June).

At the same court today (16 July) Flowers and Jubair were each sentenced to five years and six months imprisonment.

Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said:

“This is the largest cyber crime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS and our policing partners.

“Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice.

“The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK’s critical infrastructure. These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances.

“We will continue working with partners in the UK and overseas to identify offenders and bring them to justice.”

Commander Ollie Shaw, at the City of London Police said:

"Cyber crime continues to evolve rapidly and presents a significant threat to individuals, businesses and our national security. Through new proposed Cyber Crime Risk Orders (CCROs) the police and law enforcement would be equipped with an important additional tool to help prevent harm, disrupt criminal activity and protect the public.

“These proposals are designed to be flexible, so that courts can set restrictions based on the level of risk an individual poses, rather than using the same approach for everyone. This could include limits on devices, online services or technologies that are often used to commit cyber crime, creating a type of "digital prison" for cyber offenders.

“The aim is not just to punish offenders, but also to help them rebuild their lives and use technology safely and legally – as the vast majority of people already do. The measures would be overseen by the courts and reviewed regularly to make sure they remain fair and proportionate. As more crime is enabled by digital technology, it’s really important that policing has modern powers to prevent offenders from causing further harm."

Security Minister Dame Angela Eagle said:

“This shocking case shows the very serious threat that cyber criminals pose to our security and prosperity – a key part of our capital’s infrastructure lost millions of pounds and many ordinary paying customers suffered huge disruption.

“My thanks go to the National Crime Agency and the City of London Police for their exceptional work in tracking down these criminals and bringing them to justice. This should send a clear message to anyone planning illegal cyber activity that there will be consequences when you are caught.

“As the threat from cyber attacks increases, this government is bolstering the UK’s defences from cyber crime with new legislation and a National Cyber Action Plan. Let this also be a reminder to all organisations in the UK to protect themselves and build up their cyber resilience.”

Andy Lord, London's Transport Commissioner said:

“We welcome the news that two people charged in relation to the cyber incident which impacted our operations in 2024 have now been sentenced. The security of our systems and customer data is extremely important to us, and we continually monitor our systems to ensure only those authorised can gain access and continue to take the necessary actions to protect TfL. We thank the hard work of our staff and of the National Crime Agency and partners for their investigations into this incident.”

FBI Cyber Division Assistant Director Brett Leatherman said:

“Today’s announcement represents a significant step in holding accountable two members of Scattered Spider, a group that has repeatedly relied on data extortion, SIM-swap attacks, and other social engineering techniques to infiltrate networks and undermine critical services.

“The FBI commends the National Crime Agency for its exceptional work. We will continue to work alongside our global law enforcement partners to investigate cybercriminal actors, disrupt their activities, and hold them accountable.”

The NCA and CoLP investigation was supported by the West Midlands Regional Organised Crime Unit and British Transport Police.

Victims of cybercrime should use the Government’s Cyber Incident Signposting Site for direction on which agencies to report an incident to.

The Cyber Choices programme helps people make informed choices to use their cyber skills in a legal way. Visit www.cyberchoices.uk

16 July 2026

Latest from twitter

Visit the NCA timeline on Twitter

Share this page:

TOP ˄
Verify an officer using our online reporting tool.
Click CEOP logo: Advice, Help, Report
  • Who we are

  • Our mission
  • What we do

  • How we investigate
  • How we work
  • News

  • Most wanted

  • Careers

  • A day in the life
  • Current vacancies
  • Contact us

  • Missing persons
  • Operation Stovewood
  • Suspicious activity reports
  • Verify an NCA officer
  • Complaints

Follow us

  • Sitemap
  • Privacy and Cookie Policy
  • Terms and Conditions
  • Publications
  • Accessibility statement
© Crown Copyright
© Crown Copyright