Owen Flowers, an 18-year-old from Walsall, has been sentenced to five years and six months in prison for orchestrating a £29 million cyber attack on Transport for London (TfL) alongside his accomplice Thalha Jubair, 20. The attack, which took place between August 31 and September 3, 2024, forced TfL to shut down its systems, requiring all 27,000 employees to reset their passwords and causing significant disruption to services.
Details of the Attack
The court heard that Flowers and Jubair, both experienced hackers associated with the group Scattered Spider, used social engineering and sophisticated software to exploit vulnerabilities in TfL's systems. They tricked the helpdesk into resetting a password, then worked through the night for 16 hours to gain access to Microsoft Azure, eventually achieving the highest level of system privileges—described as the 'keys to the kingdom'. This access could have allowed them to cause catastrophic damage, including shutting down TfL entirely.
The hackers accessed data from the Oyster refund system, delayed contactless payment systems, and shut down applications for Oyster photocards for children and young people. TfL reported £10 million in lost income and £29 million in damages from disruption and operational costs.
Sentencing and Impact
At Woolwich Crown Court on July 16, 2026, Mr Justice Turner sentenced both Flowers and Jubair to five years and six months in prison. The judge noted that the defendants 'engaged in a sophisticated intrusion upon and violation of the internal computer systems of TfL' and deployed a combination of techniques aimed at exploiting system vulnerabilities.
Prosecutor Mark Fenhalls KC stated: 'These two young men are highly skilled with computers and capable of wreaking havoc and you may think wholly indifferent to the consequences for the public and the potential suffering and costs to others.' He added that the hackers were 'utterly reckless about the consequences of hacking TfL' and that the attack only ended because TfL ejected them, not because they chose to stop.
A TfL witness told the court: 'It is possible that access could have been sufficient to enable the actor to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption.' The witness emphasized the potential impact on London's economy and the travelling public, including those accessing education, healthcare, and other essential services.
Additional Charges and Arrest
Flowers also pleaded guilty to two charges related to hacking US healthcare systems—SSM Health Care Corporation and Sutter Health. When he was arrested in September 2024, his laptop was actively engaged in hacking these systems, an attack that only ceased due to the timing of his arrest. A recording made by Flowers of Jubair livestreaming the hack was later recovered by police.
The defendants created multiple back doors within TfL's system, downloaded millions of lines of data, and used remote servers to conceal their attack's origin. They also created virtual machines to destroy evidence. The prosecution noted that the potential loss to the UK could have reached billions had the hackers locked or destroyed the central TfL system.



