Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded not guilty to charges stemming from a high-profile cyber attack on Transport for London (TfL), an incident that has sent shockwaves through the UK’s public infrastructure and cybersecurity communities. The pair, aged 19 and 18 respectively, appeared together at Southwark Crown Court on November 21, 2025, where they formally denied all allegations related to the summer 2024 attack. The event marks a significant moment in the ongoing battle against cybercrime targeting critical national infrastructure.
Investigators allege that between August 29 and September 6 of 2024, a sophisticated network intrusion—attributed to the notorious hacker collective Scattered Spider—penetrated TfL’s computer systems. According to Sky News, the attack led to millions of pounds in losses and recovery costs for the transport operator. The BBC further reports that the damage is estimated at £39 million, with disruptions to TfL’s online services and information boards lasting up to three months throughout the autumn of 2024. While the core transport network managed to keep running, many digital services, including traffic cameras and “dial a ride” bookings, were forced offline. TfL was also unable to process some payments during the aftermath.
Perhaps most troubling for many Londoners, the breach exposed the personal data of thousands of customers. As the BBC details, TfL notified affected individuals that their names, emails, home addresses, bank account numbers, and sort codes may have been accessed by the attackers. According to The Evening Standard, even Oyster card refund data was among the compromised information, raising concerns about identity theft and financial fraud.
In the dock, Jubair and Flowers spoke only to confirm their names and enter not guilty pleas. Both stand accused of conspiring to commit unauthorized acts against TfL’s computer systems under the Computer Misuse Act. Flowers, hailing from Walsall in the West Midlands, faces additional charges for allegedly targeting US healthcare firms SSM Health Care Corporation and Sutter Health. Jubair, from East London’s Tower Hamlets, is also charged under the Regulation of Investigatory Powers Act for failing to disclose PINs or passwords for his devices when requested by authorities in March 2025.
Their arrests in September 2025 were part of a broader operation conducted by the National Crime Agency (NCA) and City of London Police. The NCA believes the attack was orchestrated by Scattered Spider, a teenage hacker collective linked to other high-profile breaches, including those targeting Jaguar Land Rover and major UK retailers such as Marks and Spencer. According to Cybersecurity Insiders, the group has developed a reputation for targeting critical infrastructure and high-value corporate networks with aggressive tactics.
Paul Foster, head of the NCA’s cyber crime unit, described the charges as a “key step” in a “lengthy and complex investigation.” He noted, “This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.” Foster also highlighted the growing threat posed by cybercriminals based in the UK and other English-speaking countries, emphasizing that Scattered Spider is a clear example of this trend. “The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” he said, as reported by Sky News.
For those dependent on TfL licenses for their livelihood, the attack had real-world consequences. The Evening Standard reported that the incident resulted in a “loss of livelihood” for some individuals, as the disruption to licensing systems impacted their ability to work. The court previously heard that the attack posed a “significant risk” to both the UK economy and the daily lives of London residents, underlining the far-reaching impact of cyber attacks on essential services.
Despite the scale of the breach, the transport network itself was not directly disrupted—a point repeatedly stressed by TfL and echoed in media coverage. However, the inability to access real-time information, book services, or process payments had a marked effect on commuters and operational staff alike. As the BBC put it, “many TfL online services and information boards went offline as part of the attack.”
Both defendants remain in custody as they await trial. Judge Christopher Hehir has set a provisional trial date for June 8, 2026, with a pre-trial review scheduled for February 13, 2026. The hearing is expected to last between four and six weeks, reflecting the complexity of the case and the volume of digital evidence to be examined.
Jubair and Flowers are not the only individuals to have been arrested in connection with the attack. According to Cybersecurity Insiders, four people in total—including three teenagers and one woman—were apprehended by authorities. The investigation has drawn on cooperation between the NCA, City of London Police, and international partners such as the FBI, underscoring the cross-border nature of modern cybercrime.
Transport for London, for its part, has been praised by law enforcement for its “swift action” in reporting the breach and cooperating with investigators. According to Paul Foster, TfL’s engagement was instrumental in the progress of the investigation. Still, the organization faces a long road to fully restoring confidence among its customers and rebuilding the affected systems. The cost of recovery—both financial and reputational—serves as a stark reminder of the vulnerabilities inherent in increasingly digital public services.
The case has also reignited debate over the adequacy of cybersecurity measures in the UK’s public sector. With critical infrastructure increasingly targeted by sophisticated criminal groups, many experts argue that investment in cyber defenses and incident response must be prioritized. The attack on TfL, believed to be orchestrated by a group of teenagers, has highlighted just how accessible and destructive hacking tools can be in the hands of determined adversaries.
As the legal process moves forward, the eyes of the cybersecurity world—and countless Londoners—will remain fixed on Southwark Crown Court. The outcome of the trial may set important precedents for how the UK prosecutes cybercrime and addresses the challenges posed by increasingly audacious hacker collectives. For now, the story stands as a cautionary tale about the fragility of our digital infrastructure and the far-reaching consequences when it is breached.
With the trial set for June 2026, the coming months promise further revelations about the methods, motives, and impact of one of the most significant cyber attacks in recent UK history.
