Cyberhackers who targeted TfL jailed for more than five years each
Two members of a cyberhacking group have been sentenced following a successful CPS prosecution.
Owen Flowers, 18, and Thalha Jubair, 19, previously pleaded guilty to hacking TfL whilst recklessly causing a significant risk of serious damage to human welfare in September 2024.
Flowers also admitted conspiring to launch cyber-attacks on American not-for-profit healthcare systems SSM Health and Sutter Health.
Today, at Woolwich Crown Court, Flowers and Jubair were both sentenced to five and a half years imprisonment each.
Between 31 August and 3 September 2024, the pair conspired together and conducted a cyberattack on TfL’s systems. It cost the transport network £29 million pounds to remedy and rendered more than 140 systems inoperable.
Whilst only they knew their ultimate aim, it was suggested in chats between Jubair and Flowers that they would “nuke access”. There was a significant risk that this could have caused many billions of pounds of damage to the UK economy by disrupting London’s transport network.
On 6 September 2024, Flowers also launched cyberattacks on two separate US Healthcare providers. He again threatened to lock the systems down despite acknowledging in his chats with others that this ‘might kill some 90yr old on life support’. Flowers was caught and was prevented from executing this attack.
The investigation team were able to prove that Flowers had been connected to a remote server used to launch the attack into TfL’s systems, as well as SSM and Sutter Health. Telegram messages joking about the potential consequences of their cyberhacks were also used to prove both Flowers and Jubair’s involvement.
Whilst Flowers’ devices linked him to all three attacks, information linking Jubair to the TfL attack was uncovered overseas. The prosecutor worked with prosecutor colleagues overseas to swiftly obtain evidence to support the prosecution case and successfully attribute the attack to Jubair.
Flowers and Jubair are believed to be the first hackers to be successfully prosecuted under Section 3ZA of the Computer Misuse Act 1990.
The CPS’s specialist Serious Economic and Organised Crime Division advised the National Crime Agency during their investigation and authorised charges against both Flowers and Jubair as quickly as possible to prevent any further offending.
Lionel Idan, Chief Crown Prosecutor for SEOCID Regional and Wales Division, said: “Flowers and Jubair broke into and accessed sensitive systems to extract information from millions of Oystercard holders.
“The evidence revealed not only the sophistication and persistence of their attack but also the recklessness of those responsible. Both defendants showed a staggering disregard for the consequences of their actions as their cyberattack led to TfL having to ‘pull the plug’ on their own network to protect it from wider disruption to the transport network.
“TfL oversee an average 9 million daily journeys and if they had carried out their threats to kill access to TfL’s systems, the impact on the wider economy could have been catastrophic and cost billions. Thankfully, TfL’s reaction prevented this.
“This successful prosecution was a perfect example of collaboration with investigators, prosecutors and international partners working together to build a watertight case that left Jubair and Flowers with little choice but admit their crimes.
“The two defendants claimed at various points to be members of a group called ‘Scattered Spider’. This group were believed to be responsible for hundreds of cyber-attacks between 2022 and 2025. Serious and organised crime is increasingly global and cybercrime is one of a number of growing crime types.
“The CPS stands ready to help root out cybercrime, working alongside victims, police, partners and international counterparts, to prosecute anyone targeting our key infrastructure.”
Notes to editors
- Owen Flowers and Thalha Jubair previously pleaded guilty to one count of S3ZA Computer Misuse Act 1990 in relation to a cyber-attack on TfL in September 2024 on the basis that they were reckless as to whether they had caused, or created a significant risk of, serious damage to human welfare.
- Flowers also pleaded guilty to two counts of S3Computer Misuse Act 1990 in relation to a conspiracy and attempt with intent to impair the operation of computer systems belonging to SSM and Sutter Health.
- In June 2026, the CPS launched its new Serious and Economic Organised Crime Strategy 2030, setting out the organisation’s approach to tackling serious organised crime for the rest of the decade - Crown Prosecution Service Serious and Economic Organised Crime Strategy 2030 | The Crown Prosecution Service