Two British teenagers have pleaded not guilty to allegations that they helped carry out a high-impact cyberattack against Transport for London (TfL), the authority that runs the capital’s Tube and bus networks. Prosecutors accuse the pair of taking part in a targeted network intrusion in the summer of 2024 that exposed customer data and left TfL with tens of millions of pounds in losses and recovery costs.
Nineteen-year-old Thalha Jubair from east London and eighteen-year-old Owen Flowers from Walsall now stand at the centre of a test case for how the UK handles serious cyber offences against critical national infrastructure. They face some of the most severe Computer Misuse Act charges available, while investigators continue to frame the attack as part of a wider campaign linked to the “Scattered Spider” criminal collective.
𝗛𝗼𝘄 𝘁𝗵𝗲 𝗧𝗙𝗟 𝗰𝘆𝗯𝗲𝗿𝗮𝘁𝘁𝗮𝗰𝗸 𝗲𝗺𝗲𝗿𝗴𝗲𝗱 𝗮𝗻𝗱 𝘄𝗵𝗮𝘁 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗼𝗿𝘀 𝗯𝗲𝗹𝗶𝗲𝘃𝗲 𝗵𝗮𝗽𝗽𝗲𝗻𝗲𝗱
The intrusion that ultimately brought Jubair and Flowers into the dock took place in late August and early September 2024. Investigators say attackers gained unauthorised access to TfL systems over several days, moving laterally through parts of the network that support customer-facing services and internal tools.
As TfL’s security teams and external partners traced unusual activity, they realised the breach had affected personal data linked to customer accounts and Oyster card refunds. Earlier court hearings heard that the attack contributed to an estimated £39 million in losses, combining direct costs, disruption and recovery.
Although trains and buses continued to run, TfL reported that some digital services including traffic cameras, parts of its online portals and elements of back-office processing suffered prolonged disruption. At the same time, the organisation had to notify affected customers that attackers might have accessed names, contact details and bank information connected to refund transactions.
Because of that combination of customer-data exposure and potential operational impact, the case quickly moved beyond routine IT incident territory and into the realm of critical-infrastructure cybercrime.
𝗧𝗵𝗲 𝗰𝗵𝗮𝗿𝗴𝗲𝘀: 𝗰𝗼𝗻𝘀𝗽𝗶𝗿𝗮𝗰𝘆, 𝗵𝘂𝗺𝗮𝗻 𝘄𝗲𝗹𝗳𝗮𝗿𝗲 𝗿𝗶𝘀𝗸 𝗮𝗻𝗱 𝗿𝗲𝗳𝘂𝘀𝗲𝗱 𝗽𝗮𝘀𝘀𝗰𝗼𝗱𝗲𝘀
Prosecutors have charged both teenagers with conspiring to commit unauthorised acts in relation to a computer, in a way that allegedly caused or created a significant risk of serious damage to human welfare and to the economic interests of the UK.
In practice, that legal language reflects fears that large-scale attacks on transport systems can leave staff unable to work, passengers unable to move and businesses unable to rely on licensing and ticketing functions. During earlier hearings, the court heard that the TfL incident allegedly led to a “loss of livelihood” for some people who rely on TfL-issued licences to operate.
The charge sheet does not simply focus on unauthorised access. Investigators also believe the attackers attempted to install ransomware inside parts of TfL’s environment, although details of any payloads or encryption attempts have not been fully disclosed in public.
Alongside the joint TfL conspiracy charge, the Crown Prosecution Service brought additional counts against each defendant. Flowers faces allegations that he conspired with others to break into, and damage, networks belonging to US healthcare organisations SSM Health Care Corporation and Sutter Health.
Jubair, meanwhile, stands accused of refusing to provide investigators with passcodes for devices seized during the investigation, an offence under UK powers that compel decryption assistance.
𝗪𝗵𝗮𝘁 𝗵𝗮𝗽𝗽𝗲𝗻𝗲𝗱 𝗶𝗻 𝗰𝗼𝘂𝗿𝘁: 𝗻𝗼𝘁 𝗴𝘂𝗶𝗹𝘁𝘆 𝗽𝗹𝗲𝗮𝘀 𝗮𝗻𝗱 𝗮 𝗹𝗼𝗻𝗴 𝗿𝗼𝗮𝗱 𝘁𝗼 𝘁𝗿𝗶𝗮𝗹
Both defendants appeared at Southwark Crown Court in London on 21 November 2025. There, they stood side by side in the dock and spoke only to confirm their names and to enter not-guilty pleas to every count.
The court set a trial date of 8 June 2026, with a pre-trial review hearing scheduled for 13 February. Until then, the legal process will move through disclosure, defence case preparation and further arguments over technical evidence.
While prosecutors frame the pair as part of a wider English-speaking cybercrime ecosystem, defence teams suggest investigators may have misattributed activity, misunderstood shared infrastructure or over-stated the level of control the teenagers allegedly held over the intrusion. Those arguments will crystallise as the trial approaches, when the court examines indicators such as IP logs, device forensics, messaging records and any links to known threat groups.
𝗜𝗺𝗽𝗮𝗰𝘁 𝗼𝗻 𝗧𝗙𝗟: 𝗰𝘂𝘀𝘁𝗼𝗺𝗲𝗿 𝗱𝗮𝘁𝗮, 𝗼𝗻𝗹𝗶𝗻𝗲 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗮𝗻𝗱 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝘀𝘁𝗮𝘁𝘂𝘀
Even though the attack did not shut down trains or buses, it still hit TfL where it hurts: in the digital systems that sit around physical operations. Reports submitted to previous hearings describe how customer-facing portals, back-office tools and certain real-time information services suffered outages or degradation after the breach.
Transport for London also had to address the fallout from exposed personal data. Notices sent to affected customers warned that attackers might have accessed names, email addresses, home addresses and bank account details linked to refund processes. For any public authority, that mix of operational disruption and potential financial-fraud risk creates a reputational hit that lingers long after systems come back online.
Because TfL forms part of the UK’s critical national infrastructure, national agencies treated the case as more than a one-off hack. The National Crime Agency (NCA) and City of London Police worked together on raids and arrests, while senior officials publicly described the incident as an example of how English-speaking cybercriminal groups now aim directly at core services.
𝗪𝗵𝘆 𝗽𝘂𝗯𝗹𝗶𝗰 𝘁𝗿𝗮𝗻𝘀𝗽𝗼𝗿𝘁 𝗵𝗮𝘀 𝗯𝗲𝗰𝗼𝗺𝗲 𝗮 𝗽𝗿𝗶𝗺𝗲 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗲 𝘁𝗮𝗿𝗴𝗲𝘁
From an attacker’s perspective, transport authorities offer a powerful combination of leverage and visibility. They handle large volumes of payment data, manage complex operational networks and operate under constant pressure to keep services running. Consequently, a single well-timed intrusion can deliver both financial gain and media attention.
Groups like Scattered Spider, which investigators loosely connect to the TfL case, already have form in high-profile extortion attacks across sectors such as automotive, retail and technology. Because modern transport systems rely so heavily on cloud services, third-party software and remote-access tools, attackers can probe many different edges for weak VPN configurations, exposed admin panels or stolen credentials.
At the same time, public-sector environments often carry legacy systems and politically constrained budgets. That combination can leave gaps in segmentation, monitoring and incident-response readiness. When a determined actor finds one of those gaps, they can move quickly from foothold to sensitive data, as the TfL case illustrates.
𝗨𝗞 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗲 𝗽𝗲𝗻𝗮𝗹𝘁𝗶𝗲𝘀: 𝗮 𝗰𝗮𝘀𝗲 𝘁𝗵𝗮𝘁 𝗽𝘂𝘀𝗵𝗲𝘀 𝘁𝗵𝗲 𝗹𝗶𝗺𝗶𝘁𝘀
The charges brought against Jubair and Flowers sit at the top end of what English law provides for computer offences. One of the specific conspiracy formulations used in this case creating a risk of serious damage to human welfare or national security can, in theory, carry a maximum sentence of life imprisonment.
In practice, courts weigh age, previous history, actual harm, intent and cooperation when they sentence younger defendants. Even so, the decision to apply such severe offences signals how seriously prosecutors now treat attacks against critical infrastructure. It also shows how UK authorities want to send a deterrent message to other teenagers who may view high-impact hacking as a low-risk way to gain status in underground communities.
Because this case crosses borders through the alleged US healthcare intrusions and a separate complaint against Jubair in the United States any eventual outcome may also influence how UK and US agencies coordinate future prosecutions of young cyber offenders.
𝗪𝗵𝗮𝘁 𝗼𝗿𝗴𝗮𝗻𝗶𝘀𝗮𝘁𝗶𝗼𝗻𝘀 𝗰𝗮𝗻 𝗹𝗲𝗮𝗿𝗻 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 𝗧𝗙𝗟 𝗰𝗮𝘀𝗲
For defenders across public transport and other critical sectors, the TfL cyberattack reinforces several familiar lessons that still do not always translate into practice.
First, infrastructure operators need to assume that motivated attackers will eventually obtain at least limited access to parts of their environment. Therefore, architectural choices around segmentation, identity, least privilege and monitoring matter just as much as perimeter controls.
Second, organisations should treat customer-facing portals and back-office tools as equally valuable. Attackers often move from softer web applications into more sensitive systems through poorly controlled integrations, shared accounts or legacy admin interfaces.
Third, incident-response plans must blend cyber and operational risk. When a transport authority faces ransomware or data theft, teams need clear playbooks that cover both technical containment and decisions around service continuity, public messaging and regulatory notification.
Because attackers increasingly target infrastructure for both money and influence, those that prepare in depth rather than relying on headline-level compliance stand a far better chance of containing damage when a breach does occur.
A 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗲 𝘁𝗲𝘀𝘁 𝗰𝗮𝘀𝗲 𝘄𝗶𝘁𝗵 𝗯𝗿𝗼𝗮𝗱 𝗶𝗺𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀
For now, Jubair and Flowers remain accused, not convicted. They firmly deny taking part in the TfL cyberattack, and the court will spend much of 2026 testing the strength of the digital-forensic trail that points in their direction.
However, the case already illustrates how infrastructure attacks, teenage threat actors and cross-border investigations now intersect. As London’s transport authority continues to strengthen its defences, other operators should treat this incident as a warning shot: the line between “online mischief” and critical-infrastructure crime has effectively disappeared.
𝗙𝗔𝗤𝗦
𝗪𝗵𝗮𝘁 𝗱𝗼 𝗽𝗿𝗼𝘀𝗲𝗰𝘂𝘁𝗼𝗿𝘀 𝘀𝗮𝘆 𝗵𝗮𝗽𝗽𝗲𝗻𝗲𝗱 𝗶𝗻𝘀𝗶𝗱𝗲 𝗧𝗙𝗟’𝘀 𝘀𝘆𝘀𝘁𝗲𝗺𝘀?
Prosecutors allege that attackers carried out a coordinated network intrusion between late August and early September 2024, moving through TfL systems without permission and attempting to deploy ransomware. They say the attack disrupted digital services, exposed customer data and contributed to losses estimated at around £39 million.
𝗗𝗶𝗱 𝘁𝗵𝗲 𝗰𝘆𝗯𝗲𝗿𝗮𝘁𝘁𝗮𝗰𝗸 𝘀𝗵𝘂𝘁 𝗱𝗼𝘄𝗻 𝗟𝗼𝗻𝗱𝗼𝗻’𝘀 𝗧𝘂𝗯𝗲 𝗼𝗿 𝗯𝘂𝘀 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀?
No. Trains and buses continued to operate, although TfL reported disruption to some online services, information systems and back-office tools. The main impact fell on digital infrastructure and customer-data security rather than on the physical movement of passengers.
𝗛𝗼𝘄 𝘄𝗲𝗿𝗲 𝘁𝗵𝗲 𝘁𝗲𝗲𝗻𝘀 𝗶𝗱𝗲𝗻𝘁𝗶𝗳𝗶𝗲𝗱 𝗮𝘀 𝘀𝘂𝘀𝗽𝗲𝗰𝘁𝘀?
Officers from the National Crime Agency and City of London Police arrested the two teenagers at their homes in September 2024, following a joint investigation into the TfL intrusion and related cyber activity. Investigators have not released full technical details, but they describe the case as part of a broader effort to disrupt English-speaking cybercriminal groups, including those linked to Scattered Spider.
𝗪𝗵𝗮𝘁 𝗽𝗲𝗻𝗮𝗹𝘁𝗶𝗲𝘀 𝗰𝗼𝘂𝗹𝗱 𝘁𝗵𝗲𝘆 𝗳𝗮𝗰𝗲 𝗶𝗳 𝗳𝗼𝘂𝗻𝗱 𝗴𝘂𝗶𝗹𝘁𝘆?
The conspiracy offences used in this case rank among the most serious under the Computer Misuse Act, especially where prosecutors argue that an attack created a risk to human welfare or national security. In theory, those charges can carry sentences up to life imprisonment, although any actual sentence would depend on age, intent, harm and mitigation.
𝗪𝗵𝘆 𝗱𝗼 𝗽𝘂𝗯𝗹𝗶𝗰 𝘁𝗿𝗮𝗻𝘀𝗽𝗼𝗿𝘁 𝗻𝗲𝘁𝘄𝗼𝗿𝗸𝘀 𝗶𝗻𝘁𝗲𝗿𝗲𝘀𝘁 𝗰𝘆𝗯𝗲𝗿𝗰𝗿𝗶𝗺𝗶𝗻𝗮𝗹𝘀?
Transport networks combine payment data, operational technology and high public visibility. Because disruptions quickly make news and affect millions of people, attackers see them as high-leverage extortion targets. At the same time, many transport authorities still modernise legacy systems, which can leave gaps in segmentation, monitoring and identity controls that skilled adversaries can exploit.
