Two teenage boys who launched a cyberattack on Transport for London (TfL) that cost the body tens of millions of pounds have now been sentenced.
Thalha Jubair, 20, and Owen Flowers, 18, appeared in court on Thursday (16 Jul), nearly two years after infiltrating TfL's network.
With help from the City of London Police, the National Crime Agency (NCA) identified the boys after they wreaked havoc on the organisation's internal systems between 31 August and 3 September 2024.
Their actions inconvenienced thousands of rail-taking customers, whose services were severely disrupted. This included the Dial-a-Ride booking service - which aids vulnerable residents of London - concessionary travel cards, the digital payments channel and contactless ticketing.
The Oyster refund system was also hacked, leaving customers out of pocket for prolonged amounts of time, while Underground passengers were unable to apply for photocards for their children and teenagers.
TfL had to cough up millions in refund and recovery fees (John Keeble/Getty Images) The agony was also felt by almost 30,000 members of TfL staff, who were forced to travel to a HW to have their passwords reset.
A staggering 148 internal operations systems became inoperable, and the organisation was forced to fork out a reported £29m in loss and recovery fees.
If the boys had managed to shut down the entire transport network, however, they could have cost TfL approximately £56b.
They were arrested at their respective home addresses several days later, after which it was discovered that Jubair, from London, and West Midlands-born Flowers were leaders of a criminal collective nicknamed 'Scattered Spider'.
While he was being arrested, police discovered that Flowers was actually in the midst of hacking in-house technology used by the US healthcare firms SSM Health Care Corporation and Sutter Health.
Flowers had been hacking healthcare systems in the US when he was arrested (National Crime Agency) Laptops - which contained video footage of Jubair accessing TfL systems during the attack - computer towers, USB sticks and hard drives found in his property were used as evidence when prosecutors began forming a case against the pair.
Despite being granted bail, Flowers was arrested for a second time for being non-compliant with conditions laid out to him regarding use of tech devices.
He and Jubair pleaded guilty to the attack at Woolwich Crown Court last month for the second ever prosecution of its kind, for which lawmakers cited Section 3ZA of the Computer Misuse Act (CMA).
This section applies where the unauthorised act intentionally creates significant risk and/or serious damage.
In court today, the pair were each sentenced to five years and six months imprisonment, and Jubair was also charged with failing to provide password and PIN information to the police.
Jubair received a second charge (National Crime Agency) Discussing the decision, Paul Foster, head of the NCA’s National Cyber Crime Unit, noted: "This is the largest cyber crime prosecution ever brought before the UK courts and the culmination of nearly two years of painstaking work by the NCA, CPS and our policing partners.
"Scattered Spider has been the most significant cybercrime threat to the UK in recent years. Through this investigation, we have severely disrupted that threat and brought key offenders to justice."
Foster added: "The attack on Transport for London caused significant financial harm and disruption to a vital part of the UK’s critical infrastructure.
"These convictions would likely not have been possible had Transport for London not engaged with law enforcement early, so I would urge any other organisation to please do the same in such circumstances."
He concluded: "We will continue working with partners in the UK and overseas to identify offenders and bring them to justice."