Two British hackers behind a 2024 cyberattack on London’s public transport body which cost £29 million ($39.16 million) to fix were each sentenced on Thursday to five and a half years in jail.
Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty last month to hacking Transport for London (TfL), which had been blamed on hacking collective “Scattered Spider”.
Jubair and Flowers hacked TfL between August 31 and September 3, 2024, working up to 16 hours a day — Jubair from his parents’ flat in east London, Flowers in his grandmother’s home in central England – after gaining access to TfL systems.
Jubair broadcast a livestream of the hack which Flowers watched, with the video found on Flowers’ laptop providing key evidence, prosecutor Mark Fenhalls said.
The pair could have “shut down TfL completely” and the attack was stopped only when TfL pulled the plug on their computer systems, Fenhalls said. The damage caused took six months to fix.
Flowers also admitted conspiring with others to hack two not-for-profit health systems in the United States just days after targeting TfL, with those attacks stopping “only because he was arrested and literally caught in the act”, Fenhalls added.
Flowers continued to attempt hacks from prison after his arrest, Fenhalls said, with devices showing search terms and attempts to access domains linked to the Crown Prosecution Service and the prison he was being held in.
Sentencing both Jubair and Flowers to five and a half years in prison, Judge Mark Turner said he accepted they were “primarily motivated by selfish bravado”.
Attack linked to ‘scattered spider’
British authorities have previously said a hacking collective known as Scattered Spider was responsible for the attack on TfL, with multiple reports also tying the group to an attack on retailer Marks & Spencer.
Prosecutors said on Wednesday it was a term coined by a cybersecurity firm and that Scattered Spider was considered more a pattern of behaviour than a defined group although Jubair and Flowers said they had links with it.
Jubair and Flowers were 18 and 17 when they targeted TfL but, Fenhalls said, they were already experienced hackers, “highly skilled with computers and capable of wreaking havoc”.
Jubair was convicted in 2023 of hacking and blackmailing chipmaker Nvidia as part of the Lapsus$ hacking group and was also sentenced for stalking two young women, including “swatting” one by trying to send armed police to her home.