Full Report
Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL's losses and recovery
Analysis Summary
# Incident Report: 2024 Transport for London Cyberattack
## Executive Summary
In 2024, Transport for London (TfL) was targeted in a major cyberattack orchestrated by Owen Flowers and Thalha Jubair. The breach resulted in the disabling of 148 internal systems and required a manual, in-person password reset for the entire workforce of 27,000 employees. The perpetrators were eventually apprehended and sentenced to five and a half years in prison in July 2026.
## Incident Details
- **Discovery Date:** September 2024 (approximate)
- **Incident Date:** 2024
- **Affected Organization:** Transport for London (TfL)
- **Sector:** Transportation / Critical Infrastructure
- **Geography:** London, United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** 2024
- **Vector:** Not explicitly disclosed in sentencing report (likely credential compromise or vulnerability exploitation).
- **Details:** Attackers gained unauthorized access to the internal TfL network environment.
### Lateral Movement
- Attackers navigated the internal network to identify critical infrastructure and administrative controls, eventually gaining enough privilege to impact nearly 150 disparate systems.
### Impact
- **System Disruption:** 148 internal systems were rendered inoperable.
- **Data Access:** Unauthorized access to employee and potentially customer data (though limited details were provided on exfiltration volume).
### Detection & Response
- **Discovery:** Unusual activity detected following system failures.
- **Response:** TfL initiated emergency protocols, including a mandatory organization-wide password reset.
## Attack Methodology
- **Initial Access:** Unauthorized entry (Specific entry point TBD).
- **Impact:** System disruption and denial of service across 148 platforms.
- **Credential Access:** Compromise of administrative or broad-user credentials, necessitating a total identity reset.
## Impact Assessment
- **Financial:** Significant recovery costs (NCA and CPS categorized losses as substantial).
- **Data Breach:** Compromise of internal systems and potentially sensitive employee/customer data.
- **Operational:** Massive disruption; 27,000 employees were unable to work remotely or via standard login, requiring physical attendance for identity verification.
- **Reputational:** High-profile disruption of London’s primary transport authority.
## Indicators of Compromise
- **Behavioral indicators:** Mass lockout of user accounts; simultaneous failure of 148 internal applications; unauthorized administrative commands detected in network logs.
## Response Actions
- **Containment:** Systems were taken offline to prevent further spread.
- **Eradication:** Law enforcement (NCA) involvement to track the perpetrators.
- **Recovery:** Mandatory in-person identity verification and password resets for all 27,000 staff members to ensure the integrity of the new credential baseline.
## Lessons Learned
- **Identity Security:** Reliance on digital password resets can be a single point of failure during a total compromise, leading to massive operational bottlenecks (e.g., forcing 27k people into offices).
- **Segmentation:** The ability of attackers to affect 148 different systems suggests a need for tighter network segmentation to contain lateral movement.
- **Insider/Youth Threats:** The age of the attackers (18 and 20) highlights the ongoing trend of young, technically skilled individuals targeting high-value infrastructure.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure robust MFA is applied to all internal systems, not just the perimeter.
- **Zero Trust Architecture:** Implement micro-segmentation to ensure that a breach in one system does not lead to the collapse of 147 others.
- **Business Continuity Planning:** Develop "out-of-band" identity verification methods that do not require 27,000 people to physically travel to a central location during a crisis.