Two Scattered Spider Hackers Sentenced to 5.5 Years Each for £29 Million Transport for London Cyberattack
In a significant legal development, Owen Flowers, 18, and Thalha Jubair, 20, were sentenced to five and a half years in prison at Woolwich Crown Court on July 16, 2026, for their involvement in a cyberattack on Transport for London (TfL) in 2024. This incident has been characterized as one of the most severe cybercrimes in the UK, affecting a vital public service and resulting in substantial financial losses.
The Cyberattack and Its Impact
The cyber intrusion, which occurred from August 31 to September 3, 2024, rendered 148 TfL systems inoperable. This disruption forced all 27,000 employees of the transport authority to reset their passwords in person, highlighting the extensive operational challenges posed by the attack. The National Crime Agency (NCA) and the Crown Prosecution Service (CPS) estimated the total losses and recovery costs for TfL at approximately £29 million.
On June 22, 2026, just before their trial was set to commence, both Flowers and Jubair pleaded guilty to charges under Section 3ZA of the Computer Misuse Act 1990. This section represents the most serious offense under the Act, and the defendants acknowledged their recklessness in potentially causing significant harm to human welfare.
Legal Precedents and Implications
The CPS indicated that Flowers and Jubair are believed to be the first individuals successfully prosecuted under this specific section of the Computer Misuse Act. The NCA has classified this case as the largest cybercrime prosecution in UK history. The implications of this case extend beyond the immediate sentencing, as it sets a legal precedent for future cybercrime cases.
The attack on TfL disrupted essential services, including the Dial-a-Ride program for vulnerable Londoners, digital payment systems, and the issuance of concessionary travel cards. The closure of applications for Oyster photocards, which provide discounted fares for children and young people, further illustrated the widespread impact of the breach.
Technical Aspects of the Intrusion
TfL reported that names, email addresses, and home addresses were accessed during the breach. Additionally, sensitive data related to Oyster refunds, including bank account numbers and sort codes for around 5,000 individuals, may have been compromised. The NCA noted that had the attackers successfully shut down the network, it could have resulted in economic damages of up to £56 billion.
The investigation revealed that Flowers was arrested at home on September 6, 2024, shortly after the TfL intrusion concluded. During the arrest, NCA officers discovered that he was simultaneously targeting two U.S. healthcare organizations, SSM Health Care Corporation and Sutter Health. Investigators seized multiple devices, including laptops and hard drives, which contained evidence linking the pair to the TfL attack.
Broader Context: The Scattered Spider Group
Both Flowers and Jubair were identified as leading members of the cybercriminal group known as Scattered Spider, which has also been associated with other aliases such as Octo Tempest and UNC3944. The group is believed to have executed hundreds of attacks between 2022 and 2025, with the FBI linking them to various cybercrimes, including data extortion and SIM swapping.
In a separate ongoing case, Jubair faces additional charges in New Jersey for computer fraud, wire fraud, and money laundering conspiracies. This complaint alleges involvement in approximately 120 network intrusions affecting at least 47 U.S. victims, with ransom payments exceeding $115 million.
Future of Cybersecurity and Law Enforcement
The NCA has stated that the arrests of Flowers and Jubair have significantly disrupted the operations of Scattered Spider, although it acknowledges that other criminals may continue to exploit the group’s brand. The case has prompted discussions about the need for enhanced cybersecurity measures and the importance of early reporting to law enforcement agencies.
Paul Foster, head of the NCA’s National Cyber Crime Unit, emphasized the necessity for organizations to report cyber incidents promptly, suggesting that the successful prosecution of Flowers and Jubair may not have been possible without TfL’s cooperation.
The City of London Police has also used this case to advocate for Cyber Crime Risk Orders, which would allow courts to impose restrictions on individuals’ access to devices and online services based on their risk profiles. Commander Ollie Shaw described these orders as a potential “digital prison” for offenders, underscoring the evolving landscape of cybersecurity legislation.
As the legal and technical ramifications of this case unfold, it serves as a stark reminder of the vulnerabilities faced by critical infrastructure and the ongoing battle against cybercrime.
For further details on this case, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


