Owen Flowers, an 18-year-old from Walsall, has been revealed in court as the 'bedroom hacker' who caused £29 million in chaos during a cyber attack on Transport for London (TfL). Flowers was just 17 when he and accomplice Thalha Jubair infiltrated TfL systems over four days in August and September 2024, forcing 27,000 employees to go into the office to reset passwords.
How the attack unfolded
The attack took place between August 31 and September 3, 2024. The pair tricked the TfL helpdesk into resetting a password, then used TfL's own systems to hack themselves, moving up through the network. They used remote servers to conceal their origin and built 'tunnels' to connect their computers to TfL systems. They deleted logs and digital material, making it harder for TfL to see what had happened.
Data from the Oyster refunds system was accessed, contactless systems were delayed, and applications for Oyster photocards for children and young people were shut down. The pair livestreamed the hack, but only three people watched the broadcast.
Caught in the act
Flowers was arrested at his home in Broad Lane, Walsall, at about 6pm on September 6, 2024. At the time, his computer was in the middle of hacking two US healthcare firms, SSM Health Care Corporation and Sutter Health. The attacks were only stopped because of the 'fortuitous timing' of his arrest.
Prosecutor Mark Fenhalls KC said: 'This case is about computer hacking which could have resulted in very significant damage to three different systems, belonging to TfL and two healthcare providers in the US. The extreme seriousness of this sort of criminal activity is linked to how central such computer systems have become to almost every aspect of our lives.'
Background of the hackers
Flowers and Jubair were members of a group dubbed 'Scattered Spider', said to have links to other cyberattacks. Flowers had no previous convictions but was known to authorities. In 2023, he was spoken to by the Cyber Choices (Prevent) team regarding concerns about his online behavior. He was given a warning and an opportunity to engage with the cyber equivalent of the anti-terrorism Prevent program but declined.
Adam Davis KC, defending Flowers, said the defendant was 'immature' and had been 'trying to show off online'. He offended 'from his bedroom', lives with his grandmother, and had 'struggled his whole life' with social relationships. When he moved in with his gran, he had 'no real friends', Davis said.
Jubair, 20, of Wellington Way, Tower Hamlets, East London, has committed more than 20 previous offences including hacking, fraud, and blackmail. Paul Keleher KC, defending Jubair, compared him to a 'modern-day Oliver Twist' who had been groomed from a young age to use his skills for hacking. However, Mr Justice Turner said: 'There's no Fagin in this case, it's a Faginless crime.'
Impact and sentencing
The attack cost TfL an estimated £29 million. The pair exported about six million lines of data during the attack. Both defendants admitted conspiracy to commit unauthorised acts in relation to a computer, causing or creating risk of serious damage. Flowers admitted a further count of conspiracy to commit unauthorised acts in relation to a computer, with intent to impair, regarding SSM Health Care Corporation, and pleaded guilty to attempting to commit unauthorised acts in relation to a computer, with intent to impair, regarding Sutter Health.
Mr Justice Turner will sentence the defendants on Thursday, July 16.



