Dark world of baby-faced hackers who crippled TfL network from their bedrooms
A court has sentenced two teenage hackers for a cyberattack that crippled Transport for London (TfL) systems from their bedrooms, triggering major disruption and large costs. Thalha Jubair, 20, and Owen Flowers, 18, were jailed for an “extremely serious” breach that cost TfL £29 million and gave them access for four days between August 31 and September 3, 2024. Sentenced to five and a half years each, both pleaded guilty in June. Prosecutors said the 16-hour attack halted live tube arrival times in the TfL Go app and website and stopped TfL from processing payments on Oyster and contactless services. All 27,000 TfL employees had to reset passwords in person, while seven million commuters’ data was stolen. The breach made 148 technology systems inoperable and heavily disrupted services such as Dial-a-ride for disabled and vulnerable passengers. Investigators also heard they used stolen login details to trick TfL’s helpdesk, then exploited Microsoft Azure and TfL systems to erase evidence, with remote servers and virtual machines used to conceal the origin.







