I must confess that when I first read the bare details of the TfL cyber attack, my initial reaction was a weary sense of familiarity. Another breach, another round of headlines about "sophisticated" criminals, and yet another bill footed by taxpayers and passengers. Yet the story that has unfolded at Woolwich Crown Court over the past year tells something more instructive: the machinery of British law enforcement, often mocked for its sluggishness, can still grind out results against domestic cyber threats when it chooses to focus.
Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall, changed their pleas to guilty on 22 June this year. What had been scheduled as a six-week trial collapsed on its first day. Both men admitted conspiring to commit unauthorised acts against Transport for London's computer systems, acts that risked serious damage to human welfare. Sentencing is now set for 15 and 16 July before Mr Justice Turner.
The numbers are sobering. The National Crime Agency puts the direct losses and recovery costs at £29 million. TfL itself claimed that sum in damages plus another £10 million in lost income. This was not some harmless prank. The assault between 31 August and 3 September 2024 struck at the heart of London's transport network, the daily lifeline for millions.
Early warnings ignored
What makes the case quietly infuriating is how well known both offenders already were to the authorities. Flowers received a cease and desist order in October 2023 after low-level cyber crime at the age of 16. Jubair's record was even longer: 22 previous convictions for cyber offences stretching back to when he was 14, including a 2023 Youth Rehabilitation Order connected to the Lapsus$ group.
Devices seized from Flowers contained an Acer laptop holding a screenshot of network connectivity to TfL infrastructure, videos of Jubair accessing the systems, and tools apparently intended for selling breached credentials. Flowers also admitted infiltrating US healthcare companies SSM Health Care Corporation and Sutter Health. The pair were linked to the Scattered Spider hacking group, whose English-speaking members have become a growing headache for law enforcement on both sides of the Atlantic.
The cyber attack on Transport for London had a significant and far-reaching impact, causing major disruption and affecting the day-to-day operations of essential public services. Those who target critical organisations, cause substantial financial harm, and disrupt the daily lives of the public will not do so without consequence.
Those are the measured words of Nik Adams, Deputy Commissioner of City of London Police. He is right. The inconvenience to ordinary Londoners, the mandatory password resets for 28,000 TfL staff, the compromised Oyster refund systems and live travel information, all flowed from choices made by two individuals who had already been on the authorities' radar.