London, November 23, 2025
Two teenagers, Thalha Jubair (19) and Owen Flowers (18), have pleaded not guilty to charges of orchestrating a major cyberattack against Transport for London (TfL) in August 2024, which caused extensive disruption and an estimated £39 million in damages. This case highlights significant concerns over cybersecurity risks to critical infrastructure.
Charges and Impact
Jubair and Flowers face allegations of conspiring to execute unauthorized acts against TfL’s computer systems. The attack compromised sensitive personal data including names, email addresses, home addresses, and potentially bank account details. While physical transport infrastructure remained intact, TfL’s online services such as passenger information boards, traffic camera feeds, dial-a-ride booking platforms, and certain payment systems were taken offline. These disruptions lasted for approximately three months, severely impacting TfL’s digital operations and customer service.
Details of the Cyberattack
Attributed to the hacker group known as Scattered Spider, the cyberattack’s digital intrusion exposed vulnerabilities in TfL’s cybersecurity frameworks. The hackers exploited IT systems to access and exfiltrate data, thereby triggering a comprehensive shutdown of many digital functions. The breach also risked privacy by exposing commuters’ and staff data, raising public safety and data protection issues.
Investigation and International Cooperation
The investigation into this high-profile incident mobilized multiple law enforcement agencies and international partners. UK bodies, including the National Crime Agency (NCA) and City of London Police, worked closely with the FBI and other United States authorities, reflecting the cross-border nature of modern cybercrime. The collaboration exemplifies growing international efforts to combat technologically sophisticated criminal networks exploiting global connectivity.
Defendants and Additional Charges
Apart from the charges related to the TfL breach, Owen Flowers also faces accusations tied to cyberattacks against computer networks in the U.S. health sector. Thalha Jubair faces further allegations of failing to disclose passwords to seized devices during the investigation and additional charges in the United States. Both deny all charges, maintaining their not guilty pleas as the legal process progresses.
Broader Cybersecurity Implications
This case brings to light the escalating threat posed by cybercriminal groups targeting vital national infrastructure. The involvement of young individuals in complex cyberattacks signals a shift in the threat landscape, with increased sophistication among teenage hackers. The incident has reignited debates on the adequacy of cybersecurity investments and preparedness in UK public sector organizations, particularly those managing essential services.
Legal Proceedings and Future Outlook
A trial date for Jubair and Flowers has been provisionally set for June 8, 2026, at Southwark Crown Court, preceded by a pre-trial hearing scheduled for February. Legal experts note that this case may set important precedents for prosecuting cybercrime within UK jurisdiction, especially concerning youth offenders linked to international hacker groups.
The TfL cyberattack continues to underscore the vital importance of robust cybersecurity measures to safeguard public infrastructure. As digital systems become integral to urban transportation and services, protecting these assets from disruptive cyber threats remains a critical priority for authorities and policymakers alike.