Two young members of a criminal hacking group who livestreamed themselves carrying out a cyber attack on Transport for London (TfL), which forced them to “pull the plug” on their own systems, have been jailed.
Thalha Jubair, 20, and Owen Flowers, 18, conducted an “extremely serious hack” on TfL’s online network, which could have caused “catastrophic damage” to their systems between 31 August and 3 September 2024.
The “multi-day intrusion” meant all of TfL’s more than 27,000 employees were forced to attend an office in person to reset their passwords.
In a sentencing hearing on Wednesday, the prosecution said the hackers “could have shut out and shut down TfL completely” as they eventually had the “highest privileged access” in the system, known as “the keys to the kingdom”.
Mark Fenhalls KC, prosecuting, said: “These two young men are highly skilled with computers and capable of wreaking havoc and you may think wholly indifferent to the consequences for the public and the potential suffering and costs to others.”
Data from the Oyster refund system was accessed, contactless systems were delayed and applications for Oyster photocards for children and young people were closed down.

At Woolwich Crown Court on Thursday, Jubair and Flowers were each jailed for five years and six months.
In a televised sentencing, Mr Justice Turner addressed the defendants and said: “I’m satisfied that your actions were primarily motivated by selfish bravado heedless of the consequences on others.”
The defendants have been linked to the Scattered Spider, and used that name in communication with each other during the attack, the court heard.
Along with the £29 million in damages from disruption to services and operational work, TfL claims the incident cost £10 million in lost income.
The hackers worked through the night for 16 hours to access the TfL systems after tricking the helpdesk into resetting a password for them, the court heard.
They then logged on to Microsoft Azure and began “using TfL’s own systems to hack itself” as they moved up through the system.
“They are both experienced and talented hackers who were together in concert with others to attack TfL,” said Mr Fenhalls.
Flowers livestreamed Jubair as he conducted the hack and some of the videos were recovered when he was arrested three days later on 6 September.
The pair were in constant contact during the attack and spoke about “nuking access” to the servers on their way out.

The prosecution said the pair were “utterly reckless about the consequences” and underlined a potential loss of billions to the UK if the hackers had locked or destroyed the central TfL system.
In a victim impact statement read out in court on Wednesday, TfL said they believed the hackers had “sufficient access” during the attack “to cause catastrophic damage to many technology systems, which would have led to significant and extended transport service degradation and disruption”.
Mr Fenhalls said: “TfL effectively pulled the plug on their own systems, they disconnected all computer connectivity to the internet.
“It was the only thing at that point that they could have done to remove the threat from the system and prevent a catastrophe.”
Defending Jubair, Paul Keleher KC compared his client to a “modern-day Oliver Twist” who had been groomed from a young age to use his skills for hacking.
Jubair was sentenced last year for 22 offences including hacks on individuals, telecoms businesses and the City of London Police system, the court heard.
On behalf of Flowers, who was 17 when he conducted the hack, Adam Davis KC described his client as an “immature child trying to show off online”.
When Flowers was arrested in September 2024, his laptop was found in the process of hacking two US healthcare systems.
Those hacks were only stopped because of the “fortuitous timing” of his arrest, the court heard.
Both young men admitted conspiracy to commit unauthorised acts in relation to a computer causing or creating risk of serious damage.
Flowers also admitted two counts of conspiracy to commit unauthorised acts in relation to a computer with intent to impair, in relation to the healthcare systems.
More follows on this breaking news story. Subscribe here to get the latest updates from The Independent


