4
‘Keys to the kingdom’: hackers who gained access to heart of London transport network jailed
As a result of the attack, TfL was unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. Photograph: William Barton/Alamy View image in fullscreen As a result of the attack, TfL was unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. Photograph: William Barton/Alamy ‘Keys to the kingdom’: hackers who gained access to heart of London transport network jailed Thalha Jubair, 20, and Owen Flowers, 19, sentenced to five and a half years each for cyber-attack that cost Transport for London £39m The data of millions of commuters was stolen, Londoners were left out of pocket and 27,000 Transport for London staff were forced to reset their passwords. Over four days in 2024 a pair of teenage hackers had London’s transport network at their mercy. Thalha Jubair and Owen Flowers had burrowed into the heart of Transport for London’s IT systems and held the “keys to the kingdom”. While the main tube and bus networks were not directly affected, the dial-a-ride service for disabled passengers was unable to process bookings for a period. The head of TfL , Andy Lord – a veteran of British Airways – said the attack was the worst incident he had faced in his career. TfL said the attack, which occurred between 31 August and 3 September 2024, could have caused “catastrophic damage” to its technology systems and could have led to “significant and extended transport service degradation and disruption”. In the end, the duo were only stopped when TfL in effect “pulled the plug” on its systems. They pleaded guilty in June, and on Thursday Jubair was sentenced to five and a half years for the attack, and Flowers to five and a half years for the TfL crime as well as for hacking two US healthcare providers. View image in fullscreen Thalha Jubair, left, and Owen Flowers had accrued millions of dollars in cryptocurrency through their hacking activities. Composite: PA/National Crime Agency At one point, according to prosecutors in the case, Jubair and Flowers “could have shut out and shut down TfL completely” having hacked their way to the “highest privileged access” in the system and creating a “domain admin” account described in court as “the keys to the kingdom”. They even searched through TfL’s customer database for celebrities. The data of millions of commuters was stolen, Londoners were left out of pocket and 27,000 TfL staff were forced to reset their passwords. While the main tube and bus networks were not directly affected, the dial-a-ride service for disabled passengers was unable to process bookings for a period. The head of TfL, Andy Lord – a veteran of British Airways – said the attack was the worst incident he had faced in his career. 0:32 Owen Flowers and Thalha Jubair arrested for hacking into TfL systems in 2024 – video The two hackers had led apparently closeted, online lives which nonetheless had a disproportionate impact on the outside