28,000 Transport for London employees had to queue up in person to reset their passwords after the September 2024 breach, but the damage was already done: 10 million customer records exposed, months of service disruption, and a stark reminder that the UK's cybercrime prevention playbook for teenagers has serious gaps.
Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty on Monday to the attack that crippled TfL for months. Both were known to law enforcement long before they joined the Scattered Spider collective and took down London's transport network.
Two Known Offenders, One Failed Intervention
Flowers first caught police attention in October 2023, shortly after turning 16. West Midlands Regional Cyber Crime Unit paid him a visit after catching him in low-level cybercrime. He didn't engage. They issued a cease and desist order. No further action. Just months later, he was inside Scattered Spider, targeting TfL.
Jubair's record is even longer. He started offending at 14. By 2023, while still a juvenile, he received a Youth Rehabilitation Order for Lapsus$-related hacks against Nvidia and BT/EE. He has 22 prior convictions total. The US wants him for allegedly stealing and extorting $87 million.
Police had the option to enroll Flowers in the national Cyber Choices program, designed to steer young people away from cybercrime. They deemed him unsuitable because he was already under investigation and reluctant to cooperate. No handcuffs, no real deterrent. Repeat.
The NCA Wants New Legal Teeth
NCA deputy director Paul Foster, head of the National Cyber Crime Unit, said the case highlights a small number of highly capable offenders that current powers can't contain. He's pushing for Cyber Crime Risk Orders (CCROs), proposed reforms to the Computer Misuse Act. These would let police impose restrictions on high-risk individuals before they carry out serious breaches, not after.
"They would enable earlier law enforcement interventions against high-risk cyber-crime offenders," Foster said. That's a direct admission that the current system failed here.
Crypto Millions and a US Extradition That Won't Happen
When police raided Flowers's bedroom on September 16, 2024, they seized laptops, desktops, hard drives, and USB sticks. They reportedly found cryptocurrency holdings worth millions of pounds. Investigators also uncovered evidence that he breached two US healthcare systems - SSM Health and Sutter Health. Flowers pleaded guilty to those hacks too. The US wants him, but the BBC understands authorities won't pursue extradition.
Both defendants have been diagnosed with autism. Jubair also has depression and a severe mood disorder. The court heard they don't seem to understand real-world consequences. Prof Peter Sommer, an expert witness from the earlier Lapsus$ case, put it bluntly: "They don't seem to understand the consequences and there are real victims here losing their life savings."
Flowers and Jubair are due to be sentenced on July 16. The UK government's proposed CCROs might give police the tools to stop the next Owen or Thalha before they take down a city's transport system.
Source: Teens who hacked TfL were known to police years before cyber-attack
Domain: bbc.co.uk
Comments load interactively on the live page.