
Two young men have been sentenced to five years and six months in prison after carrying out and livestreaming a 16-hour cyberattack on Transport for London (TfL) in August 2024. The attack disrupted online services, exposed sensitive customer information, and forced the transport authority to reset passwords for all employees.
Read more : Hackers leak data from India’s largest nuclear plant
Eighteen-year-old Owen Flower from Walsall and 20-year-old Thalha Jubair from East London pleaded guilty to the cyberattack last month. During court proceedings, prosecutors said the pair gained unauthorized access to TfL’s systems, searched the personal information of well-known London figures, and attempted to obtain banking details belonging to customers.
Investigators said the attackers accessed the network by impersonating a TfL employee and convincing a help desk worker to reset the employee’s password. This social engineering technique allowed them to enter the system and access the personal records of around 10 million customers, with reports suggesting some of the stolen data continues to circulate within criminal networks.
Read more : Five Eyes warns AI could outpace cybersecurity threats within months
The court also heard that Flower and Jubair were members of the hacking group known as Scattered Spider, which has been linked to several high-profile cyberattacks in the United Kingdom, the United States, and Finland. The group has also been associated with attacks targeting major retailers, including Marks and Spencer and the Co-op.
Meanwhile, the cyberattack is estimated to have cost Transport for London approximately £29 million through recovery efforts, security improvements, and operational disruption. The case highlights the growing threat posed by organized cybercrime and the importance of stronger cybersecurity measures to protect public services and sensitive customer information.