On 16 July, at Woolwich Crown Court, two young men were sent to prison for five and a half years each for one of the most disruptive cyber attacks Britain has suffered. Thalha Jubair is 20, from East London. Owen Flowers is 18, from Walsall. When they attacked Transport for London in the late summer of 2024, one of them was still a schoolboy.
The National Crime Agency is calling it the largest cyber-crime prosecution ever brought before the UK courts. That is worth pausing on, because two things about this case are unusual at the same time, and they pull in opposite directions. The damage was enormous and done by teenagers. And — rarely — the teenagers were caught.
What they did
The attack ran from 31 August to 3 September 2024. In those few days, the pair — described by the NCA as leading members of the criminal collective Scattered Spider — knocked 148 TfL systems out of action. Every one of TfL's 27,000 staff had to have their passwords reset in person, because the organisation could no longer trust its own remote identity systems. Dial-a-Ride, the accessible-transport booking service, went down. Contactless and digital payments were disrupted. The issuing of concessionary travel cards and Oyster photocards stopped.
The data side was worse than the outage. Around 5,000 people who had claimed Oyster refunds had their details exposed — and not just names and addresses, but in some cases bank account numbers and sort codes. That is the kind of data that turns straight into fraud.
TfL and the prosecution put the cost at £29 million in losses and recovery. And the court heard an estimate that a full shutdown of London's transport network could have cost the UK economy something on the order of £56 billion — a hypothetical, not a bill, but a useful measure of how close to genuinely critical infrastructure these two were operating.
One thing the sentencing coverage did not spell out is exactly how they got in. That matters, so I will be careful: the court materials I have seen do not detail the entry point. But Scattered Spider's hallmark — the method that runs through almost all of its other victims — is not clever malware or a zero-day. It is social engineering: talking a help desk or an employee into granting access or resetting a credential. If TfL followed the pattern, the door to 148 systems was opened by a conversation, not an exploit. I will update this if the primary detail emerges.
The sentence, and why it is notable
Both men were sentenced under section 3ZA of the Computer Misuse Act — the most serious offence in the Act, reserved for unauthorised acts that cause, or risk causing, serious damage. They had pleaded guilty. Five years and six months each.
You can argue about whether that is enough for £29 million of damage, thousands of exposed bank details, and the paralysis of part of a capital city's transport authority. I have some sympathy with the view that it is light. But the more important point is the one the NCA is quietly making by calling this the biggest prosecution of its kind: somebody was actually caught, named, tried and jailed.
That is far rarer than it should be, and if you have read my other writing you will know why it stands out. When Qantas lost 5.7 million customer records to the same broad cluster, the practical recourse was a court injunction against anonymous offshore actors — close to symbolic. When most organisations are breached, the people responsible are a handle on a forum and an IP address in a country that will not answer the phone. Here, for once, the attackers were British, on British soil, within reach of British law. That is what made the prosecution possible, and it is why this case is a genuine data point about whether deterrence can work — not just another breach with no one held to account.
This was not a prank
There is a lazy narrative around young hackers — mischievous kids, curiosity gone too far, no real harm meant. This case should end it.
The Crown Prosecution Service told the court that Flowers had threatened to "lock those systems down" while acknowledging that doing so "might kill some 90-year-old on life support." Read that again. This was not someone who did not understand the stakes. It was someone who understood them and continued. And when he was arrested, Flowers was reportedly in the middle of attacking two American healthcare providers — Sutter Health and SSM Health Care Corporation. Not transport systems. Hospitals.
Jubair's reach was wider still. A US complaint filed in New Jersey in September 2025 accuses him of involvement in roughly 120 network intrusions affecting more than 47 victims, tied to some $115 million in ransoms paid. The TfL attack, for which he will serve his British sentence, was one line in a much longer ledger.
Whatever these two were, they were not children playing. They were operators who knew the human cost of what they did and pressed on regardless.
Two down, a collective still standing
It would be comforting to read this as a decisive blow, and it is not. Scattered Spider — also tracked as Octo Tempest, UNC3944 and 0ktapus — is not an organisation you can decapitate. It is a loose, largely young, largely English-speaking subculture that recruits, disperses and reconstitutes. Take two members off the board and the game continues with others.
I have written before about what these teenagers taught the Fortune 500: that a decentralised collective of native-English-speaking young people, fluent in the way large organisations actually work, turned out to be far more dangerous than the stereotype of the foreign state hacker, precisely because they could pick up a phone and sound exactly like a stressed employee who has forgotten their password. TfL is that lesson written in £29 million and 148 systems.
So does jailing two of them deter the rest? Honestly, I do not know, and anyone who tells you they are certain is guessing. This cohort is young, geographically spread, and partly motivated by status within the subculture as much as money. Prison is a real cost and a real signal — the NCA is right to want the headline. But I made the same argument about ransomware takedowns in what disruption actually achieves: the value of law enforcement here is real but incremental, measured in friction and intelligence and the slow raising of the cost of doing business, not in a single decisive end to the threat. Two convictions is a good day. It is not a solved problem.
The uncomfortable lesson for the rest of us
Strip the case back to its mechanics and it is, once again, not a story about sophisticated attackers out-engineering their victim. It is a story about the human perimeter — the help desk, the support line, the person whose job is to be helpful — being the way in. TfL is a large, well-resourced organisation. It was not undone by a flaw no one could have patched. On the pattern of this group, it was undone by trust extended to the wrong caller.
That is the part every board and every security team should sit with, because your organisation has the same soft edge. The defences that matter against this are the ones I keep coming back to, and none of them are exotic: a hardened identity-verification process for anyone requesting access or a password or MFA reset, especially by phone; a firm rule that credentials and MFA are never reset on an inbound request alone; tight control of privileged accounts; and — because 148 systems went down and 27,000 people needed in-person resets — incident-response and business-continuity plans that have actually been rehearsed, including the ugly scenario where you cannot trust your own remote access and have to fall back to doing things in person. If your recovery plan has never been tested against "assume identity is compromised," TfL is your warning.
For the non-executive directors reading this, it folds neatly into the questions you should already be asking: not "are our firewalls good," but "could someone talk their way past our help desk, and if they did, how long until we noticed and how fast could we recover?"
The two truths of this case
Hold both at once, because that is the honest reading. The first is grim: two teenagers, using little more than persuasion and nerve, caused tens of millions in damage, put thousands of people's bank details at risk, and were reportedly willing to endanger lives to do it — and the collective they belong to is bigger than them and still working. The second is quietly encouraging: this time, the people responsible were identified, arrested, and are going to prison, and the state is treating it as the serious crime it is rather than a technical footnote.
Both are true. The phone will still ring at your help desk. But occasionally, now, the person on the other end of it ends up in a cell — and that is worth something, even if it is not yet enough.