Two British teenagers have pleaded not guilty to allegations that they helped carry out a high-impact cyberattack against Transport for London (TfL), the authority that runs the capitalโs Tube and bus networks. Prosecutors accuse the pair of taking part in a targeted network intrusion in the summer of 2024 that exposed customer data and left TfL with tens of millions of pounds in losses and recovery costs.
Nineteen-year-old Thalha Jubair from east London and eighteen-year-old Owen Flowers from Walsall now stand at the centre of a test case for how the UK handles serious cyber offences against critical national infrastructure. They face some of the most severe Computer Misuse Act charges available, while investigators continue to frame the attack as part of a wider campaign linked to the โScattered Spiderโ criminal collective.
๐๐ผ๐ ๐๐ต๐ฒ ๐ง๐๐ ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฎ๐๐๐ฎ๐ฐ๐ธ ๐ฒ๐บ๐ฒ๐ฟ๐ด๐ฒ๐ฑ ๐ฎ๐ป๐ฑ ๐๐ต๐ฎ๐ ๐ถ๐ป๐๐ฒ๐๐๐ถ๐ด๐ฎ๐๐ผ๐ฟ๐ ๐ฏ๐ฒ๐น๐ถ๐ฒ๐๐ฒ ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป๐ฒ๐ฑ
The intrusion that ultimately brought Jubair and Flowers into the dock took place in late August and early September 2024. Investigators say attackers gained unauthorised access to TfL systems over several days, moving laterally through parts of the network that support customer-facing services and internal tools.
As TfLโs security teams and external partners traced unusual activity, they realised the breach had affected personal data linked to customer accounts and Oyster card refunds. Earlier court hearings heard that the attack contributed to an estimated ยฃ39 million in losses, combining direct costs, disruption and recovery.
Although trains and buses continued to run, TfL reported that some digital services including traffic cameras, parts of its online portals and elements of back-office processing suffered prolonged disruption. At the same time, the organisation had to notify affected customers that attackers might have accessed names, contact details and bank information connected to refund transactions.
Because of that combination of customer-data exposure and potential operational impact, the case quickly moved beyond routine IT incident territory and into the realm of critical-infrastructure cybercrime.
๐ง๐ต๐ฒ ๐ฐ๐ต๐ฎ๐ฟ๐ด๐ฒ๐: ๐ฐ๐ผ๐ป๐๐ฝ๐ถ๐ฟ๐ฎ๐ฐ๐, ๐ต๐๐บ๐ฎ๐ป ๐๐ฒ๐น๐ณ๐ฎ๐ฟ๐ฒ ๐ฟ๐ถ๐๐ธ ๐ฎ๐ป๐ฑ ๐ฟ๐ฒ๐ณ๐๐๐ฒ๐ฑ ๐ฝ๐ฎ๐๐๐ฐ๐ผ๐ฑ๐ฒ๐
Prosecutors have charged both teenagers with conspiring to commit unauthorised acts in relation to a computer, in a way that allegedly caused or created a significant risk of serious damage to human welfare and to the economic interests of the UK.
In practice, that legal language reflects fears that large-scale attacks on transport systems can leave staff unable to work, passengers unable to move and businesses unable to rely on licensing and ticketing functions. During earlier hearings, the court heard that the TfL incident allegedly led to a โloss of livelihoodโ for some people who rely on TfL-issued licences to operate.
The charge sheet does not simply focus on unauthorised access. Investigators also believe the attackers attempted to install ransomware inside parts of TfLโs environment, although details of any payloads or encryption attempts have not been fully disclosed in public.
Alongside the joint TfL conspiracy charge, the Crown Prosecution Service brought additional counts against each defendant. Flowers faces allegations that he conspired with others to break into, and damage, networks belonging to US healthcare organisations SSM Health Care Corporation and Sutter Health.
Jubair, meanwhile, stands accused of refusing to provide investigators with passcodes for devices seized during the investigation, an offence under UK powers that compel decryption assistance.
๐ช๐ต๐ฎ๐ ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป๐ฒ๐ฑ ๐ถ๐ป ๐ฐ๐ผ๐๐ฟ๐: ๐ป๐ผ๐ ๐ด๐๐ถ๐น๐๐ ๐ฝ๐น๐ฒ๐ฎ๐ ๐ฎ๐ป๐ฑ ๐ฎ ๐น๐ผ๐ป๐ด ๐ฟ๐ผ๐ฎ๐ฑ ๐๐ผ ๐๐ฟ๐ถ๐ฎ๐น
Both defendants appeared at Southwark Crown Court in London on 21 November 2025. There, they stood side by side in the dock and spoke only to confirm their names and to enter not-guilty pleas to every count.
The court set a trial date of 8 June 2026, with a pre-trial review hearing scheduled for 13 February. Until then, the legal process will move through disclosure, defence case preparation and further arguments over technical evidence.
While prosecutors frame the pair as part of a wider English-speaking cybercrime ecosystem, defence teams suggest investigators may have misattributed activity, misunderstood shared infrastructure or over-stated the level of control the teenagers allegedly held over the intrusion. Those arguments will crystallise as the trial approaches, when the court examines indicators such as IP logs, device forensics, messaging records and any links to known threat groups.
๐๐บ๐ฝ๐ฎ๐ฐ๐ ๐ผ๐ป ๐ง๐๐: ๐ฐ๐๐๐๐ผ๐บ๐ฒ๐ฟ ๐ฑ๐ฎ๐๐ฎ, ๐ผ๐ป๐น๐ถ๐ป๐ฒ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐ ๐ฎ๐ป๐ฑ ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐ถ๐ป๐ณ๐ฟ๐ฎ๐๐๐ฟ๐๐ฐ๐๐๐ฟ๐ฒ ๐๐๐ฎ๐๐๐
Even though the attack did not shut down trains or buses, it still hit TfL where it hurts: in the digital systems that sit around physical operations. Reports submitted to previous hearings describe how customer-facing portals, back-office tools and certain real-time information services suffered outages or degradation after the breach.
Transport for London also had to address the fallout from exposed personal data. Notices sent to affected customers warned that attackers might have accessed names, email addresses, home addresses and bank account details linked to refund processes. For any public authority, that mix of operational disruption and potential financial-fraud risk creates a reputational hit that lingers long after systems come back online.
Because TfL forms part of the UKโs critical national infrastructure, national agencies treated the case as more than a one-off hack. The National Crime Agency (NCA) and City of London Police worked together on raids and arrests, while senior officials publicly described the incident as an example of how English-speaking cybercriminal groups now aim directly at core services.
๐ช๐ต๐ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ ๐๐ฟ๐ฎ๐ป๐๐ฝ๐ผ๐ฟ๐ ๐ต๐ฎ๐ ๐ฏ๐ฒ๐ฐ๐ผ๐บ๐ฒ ๐ฎ ๐ฝ๐ฟ๐ถ๐บ๐ฒ ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฐ๐ฟ๐ถ๐บ๐ฒ ๐๐ฎ๐ฟ๐ด๐ฒ๐
From an attackerโs perspective, transport authorities offer a powerful combination of leverage and visibility. They handle large volumes of payment data, manage complex operational networks and operate under constant pressure to keep services running. Consequently, a single well-timed intrusion can deliver both financial gain and media attention.
Groups like Scattered Spider, which investigators loosely connect to the TfL case, already have form in high-profile extortion attacks across sectors such as automotive, retail and technology. Because modern transport systems rely so heavily on cloud services, third-party software and remote-access tools, attackers can probe many different edges for weak VPN configurations, exposed admin panels or stolen credentials.
At the same time, public-sector environments often carry legacy systems and politically constrained budgets. That combination can leave gaps in segmentation, monitoring and incident-response readiness. When a determined actor finds one of those gaps, they can move quickly from foothold to sensitive data, as the TfL case illustrates.
๐จ๐ ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฐ๐ฟ๐ถ๐บ๐ฒ ๐ฝ๐ฒ๐ป๐ฎ๐น๐๐ถ๐ฒ๐: ๐ฎ ๐ฐ๐ฎ๐๐ฒ ๐๐ต๐ฎ๐ ๐ฝ๐๐๐ต๐ฒ๐ ๐๐ต๐ฒ ๐น๐ถ๐บ๐ถ๐๐
The charges brought against Jubair and Flowers sit at the top end of what English law provides for computer offences. One of the specific conspiracy formulations used in this case creating a risk of serious damage to human welfare or national security can, in theory, carry a maximum sentence of life imprisonment.
In practice, courts weigh age, previous history, actual harm, intent and cooperation when they sentence younger defendants. Even so, the decision to apply such severe offences signals how seriously prosecutors now treat attacks against critical infrastructure. It also shows how UK authorities want to send a deterrent message to other teenagers who may view high-impact hacking as a low-risk way to gain status in underground communities.
Because this case crosses borders through the alleged US healthcare intrusions and a separate complaint against Jubair in the United States any eventual outcome may also influence how UK and US agencies coordinate future prosecutions of young cyber offenders.
๐ช๐ต๐ฎ๐ ๐ผ๐ฟ๐ด๐ฎ๐ป๐ถ๐๐ฎ๐๐ถ๐ผ๐ป๐ ๐ฐ๐ฎ๐ป ๐น๐ฒ๐ฎ๐ฟ๐ป ๐ณ๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐ง๐๐ ๐ฐ๐ฎ๐๐ฒ
For defenders across public transport and other critical sectors, the TfL cyberattack reinforces several familiar lessons that still do not always translate into practice.
First, infrastructure operators need to assume that motivated attackers will eventually obtain at least limited access to parts of their environment. Therefore, architectural choices around segmentation, identity, least privilege and monitoring matter just as much as perimeter controls.
Second, organisations should treat customer-facing portals and back-office tools as equally valuable. Attackers often move from softer web applications into more sensitive systems through poorly controlled integrations, shared accounts or legacy admin interfaces.
Third, incident-response plans must blend cyber and operational risk. When a transport authority faces ransomware or data theft, teams need clear playbooks that cover both technical containment and decisions around service continuity, public messaging and regulatory notification.
Because attackers increasingly target infrastructure for both money and influence, those that prepare in depth rather than relying on headline-level compliance stand a far better chance of containing damage when a breach does occur.
A ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฐ๐ฟ๐ถ๐บ๐ฒ ๐๐ฒ๐๐ ๐ฐ๐ฎ๐๐ฒ ๐๐ถ๐๐ต ๐ฏ๐ฟ๐ผ๐ฎ๐ฑ ๐ถ๐บ๐ฝ๐น๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป๐
For now, Jubair and Flowers remain accused, not convicted. They firmly deny taking part in the TfL cyberattack, and the court will spend much of 2026 testing the strength of the digital-forensic trail that points in their direction.
However, the case already illustrates how infrastructure attacks, teenage threat actors and cross-border investigations now intersect. As Londonโs transport authority continues to strengthen its defences, other operators should treat this incident as a warning shot: the line between โonline mischiefโ and critical-infrastructure crime has effectively disappeared.
๐๐๐ค๐ฆ
๐ช๐ต๐ฎ๐ ๐ฑ๐ผ ๐ฝ๐ฟ๐ผ๐๐ฒ๐ฐ๐๐๐ผ๐ฟ๐ ๐๐ฎ๐ ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป๐ฒ๐ฑ ๐ถ๐ป๐๐ถ๐ฑ๐ฒ ๐ง๐๐โ๐ ๐๐๐๐๐ฒ๐บ๐?
Prosecutors allege that attackers carried out a coordinated network intrusion between late August and early September 2024, moving through TfL systems without permission and attempting to deploy ransomware. They say the attack disrupted digital services, exposed customer data and contributed to losses estimated at around ยฃ39 million.
๐๐ถ๐ฑ ๐๐ต๐ฒ ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฎ๐๐๐ฎ๐ฐ๐ธ ๐๐ต๐๐ ๐ฑ๐ผ๐๐ป ๐๐ผ๐ป๐ฑ๐ผ๐ปโ๐ ๐ง๐๐ฏ๐ฒ ๐ผ๐ฟ ๐ฏ๐๐ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐?
No. Trains and buses continued to operate, although TfL reported disruption to some online services, information systems and back-office tools. The main impact fell on digital infrastructure and customer-data security rather than on the physical movement of passengers.
๐๐ผ๐ ๐๐ฒ๐ฟ๐ฒ ๐๐ต๐ฒ ๐๐ฒ๐ฒ๐ป๐ ๐ถ๐ฑ๐ฒ๐ป๐๐ถ๐ณ๐ถ๐ฒ๐ฑ ๐ฎ๐ ๐๐๐๐ฝ๐ฒ๐ฐ๐๐?
Officers from the National Crime Agency and City of London Police arrested the two teenagers at their homes in September 2024, following a joint investigation into the TfL intrusion and related cyber activity. Investigators have not released full technical details, but they describe the case as part of a broader effort to disrupt English-speaking cybercriminal groups, including those linked to Scattered Spider.
๐ช๐ต๐ฎ๐ ๐ฝ๐ฒ๐ป๐ฎ๐น๐๐ถ๐ฒ๐ ๐ฐ๐ผ๐๐น๐ฑ ๐๐ต๐ฒ๐ ๐ณ๐ฎ๐ฐ๐ฒ ๐ถ๐ณ ๐ณ๐ผ๐๐ป๐ฑ ๐ด๐๐ถ๐น๐๐?
The conspiracy offences used in this case rank among the most serious under the Computer Misuse Act, especially where prosecutors argue that an attack created a risk to human welfare or national security. In theory, those charges can carry sentences up to life imprisonment, although any actual sentence would depend on age, intent, harm and mitigation.
๐ช๐ต๐ ๐ฑ๐ผ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ ๐๐ฟ๐ฎ๐ป๐๐ฝ๐ผ๐ฟ๐ ๐ป๐ฒ๐๐๐ผ๐ฟ๐ธ๐ ๐ถ๐ป๐๐ฒ๐ฟ๐ฒ๐๐ ๐ฐ๐๐ฏ๐ฒ๐ฟ๐ฐ๐ฟ๐ถ๐บ๐ถ๐ป๐ฎ๐น๐?
Transport networks combine payment data, operational technology and high public visibility. Because disruptions quickly make news and affect millions of people, attackers see them as high-leverage extortion targets. At the same time, many transport authorities still modernise legacy systems, which can leave gaps in segmentation, monitoring and identity controls that skilled adversaries can exploit.
