“Selfish bravado” was, the judge concluded, part of the motivation behind a cyber-attack that has left Transport for London (TfL) counting direct bills and operational headaches in the tens of millions. Judge Justice Turner pronounced identical custodial sentences of five years and six months on July 16, 2026, for two young men found guilty of the breach.
Judge Justice Turner’s sentence and reasoning
Owen Flowers, 18, and Thalha Jubair, 20, pleaded guilty on June 22, 2026, to committing unauthorised acts against TfL under the UK’s Computer Misuse Act (CMA). Their pleas came in what the record describes as only the second criminal prosecution of its kind in the UK under the CMA. Sentencing at Woolwich Crown Court took account of mitigating factors — notably the defendants’ youth and diagnosed neurodiversity — and aggravating factors, including the court’s finding that their “high expertise” made it likely they understood the impact of their actions.
The judge also noted evidence that portions of the operation were broadcast: the pair streamed some of the “progress of their activity” to a live audience, a detail the court cited in assessing motive and culpability.
How the attackers gained and maintained access: social engineering and 2FA reset
Flowers and Jubair gained initial access to TfL systems on 31 August 2024 and kept that access until 3 September 2024. A senior officer from the National Crime Agency (NCA) told the court the pair used partial user credentials obtained from “well-known online criminal marketplaces and forums,” combined with social engineering techniques, to request and eventually obtain a two-factor authentication (2FA) reset.
“It took multiple attempts to successfully reset that 2FA, so they were persistent — as we know they are — and then they then worked to escalate privileges within TfL systems,” the senior NCA officer said. Telegram messages produced during the investigation showed the two in close contact throughout the operation and referenced access to TfL’s database of people with Oyster cards.
Financial and operational impact on TfL and users
The attack did not shut down the transport network itself, but it disrupted a broad array of internal and customer-facing systems and had significant financial consequences. The NCA attributed £29m ($38m) in loss and recovery costs to the incident; TfL separately claimed around £10m ($13.5m) in lost income.
Operational effects included access to data from TfL’s Oyster refund system, which prompted TfL to close applications for Oyster photocards for children and young people. The breach also forced the shutdown of the Dial-a-Ride booking system used by people with disabilities, and data on live tube times for third-party apps such as TfL Go and CityMapper was taken offline. More than 27,000 TfL employees were required to reset passwords in person after the compromise.
The NCA estimated the incident affected between seven and 10 million people in the UK. The agency also warned that had the attackers succeeded in shutting down the transport network, the cost to the UK economy could have reached as much as £56bn ($75bn).
Scattered Spider, The Com, and the lineage of the attackers
Flowers and Jubair are believed to be part of a group known as Scattered Spider. The group has been linked in the source record to major cyber-attacks in prior years, including those against Marks & Spencer and the Co-op in 2025. Scattered Spider — along with other groups such as Lapsus$ and ShinyHunters — is described as having emanated from a loose collective known as The Com.
Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, characterised the prosecution as unprecedented in scale: “This is the largest cybercrime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, Crown Prosecution Service (CPS) and our policing partners.” He added, “Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice.”
What this means for technologists, policymakers, and TfL employees
- Technologists and security teams: The case underscores the potency of social engineering combined with credential material sourced from criminal marketplaces; the attackers’ persistence in resetting 2FA and then escalating privileges is central to how the breach unfolded.
- Policymakers and prosecutors: The prosecution — described by the NCA as the largest of its kind — sets a legal marker under the Computer Misuse Act, showing how courts may weigh expertise, broadcasting of activity, and non-financial motives such as “selfish bravado” when sentencing.
- TfL employees and customers: Tens of thousands of staff had to reset credentials in person and millions of users experienced service impacts, from disrupted refunds and photo-card applications for young people to temporary loss of live-timetable data in third-party apps.
The sentence imposed by Judge Justice Turner closes a lengthy investigative chapter led by the NCA and CPS, but the record compiled in court — dates of access, the use of criminal marketplaces for credentials, the targeted disruption of back-office and customer systems, and the broadcast of activity to a live audience — will remain a reference point for how similar cases are investigated and prosecuted in future.




