The sentencing of Owen Flowers and Thalha Jubair has brought closure to a case that has shaken the UK's cybercrime landscape. The two men have each been handed five and a half years in prison for their roles in the 2024 Transport for London (TfL) cyberattack, which remains one of the most significant incidents of its kind in British history.
Flowers, now 21, and Jubair, 22, had pleaded guilty to charges under Section 3ZA of the Computer Misuse Act 1990 in June 2026. This admission led to a 15% reduction in their sentences. Mr Justice Turner acknowledged the pair's youthful naivety, but also highlighted the sophistication and planning that went into the attack, as well as its profound impact on TfL's operations.
Authorities have consistently linked Flowers and Jubair to Scattered Spider, a loose network of young, English-speaking cybercriminals who have been responsible for several high-profile attacks. These include the 2023 hack on MGM Resorts and various British retail giants in 2025. The National Crime Agency (NCA) has repeatedly identified Scattered Spider as one of the UK's most pressing cyber threats.
The conviction marks only the second time Section 3ZA of the CMA has been successfully applied, and it demonstrates the willingness of law enforcement to tackle even the most complex cases. Flowers and Jubair pleaded guilty to reckless rather than intentional acts under this section. The previous application of this section resulted in a six-year sentence for a former GCHQ intern in 2025.
Paul Foster, Deputy Director and head of the NCA's National Cyber Crime Unit, praised the collaborative effort that led to the successful prosecution. He urged other organisations to engage with law enforcement early in similar incidents, highlighting the significant disruption caused by the TfL attack. London's Transport Commissioner, Andy Lord, welcomed the sentences, reaffirming TfL's commitment to protecting customer data and maintaining system security.