Ukraine Protests Defence Minister Dismissal: Zelensky Faces Outrage Over Fedorov Sacking
Thousands protest in Kyiv after Zelensky sacks popular Defence Minister Fedorov amid tensions with military chief Syrskyi, sparking a political crisis.
Two Scattered Spider teen hackers sentenced to 5.5 years for the £29m TfL cyber attack that stole millions of customer records and forced 27,000 password resets.
The TfL cyber attack, carried out by the Scattered Spider collective, resulted in two teenage hackers being sentenced to five years and six months in prison at Woolwich Crown Court. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty in June 2026 to the 2024 cyber-attack on Transport for London (TfL).
The attack disrupted TfL's online services for months, stole the personal data of millions of people, and forced all 27,000 TfL employees to reset their passwords in person. The National Crime Agency (NCA) has described the rise of young hackers in the UK as one of the biggest threats to the nation's cyber security.
Flowers was 17 and Jubair was 18 when they hacked into the capital's transport authority at 1700 on 31 August. The court heard that the pair streamed their 16-hour cyber-attack online, broadcasting their methods in real time. Telegram messages between them showed them boasting about gaining access to TfL's database of people with Oyster cards. They then searched the list for the personal details of London celebrities before attempting to access banking details.
"Scattered Spider is creating webs on the London Underground," Flowers later joked in messages, referring to the loosely coordinated group of young English-speaking hackers. The group has been linked to dozens of other cyber-attacks, including on retailers Marks and Spencer and the Co-op. In the last two years, young men and boys have been arrested for Scattered Spider hacks in the UK, US and Finland.
The attack cost an estimated £29 million, according to reports from The Record. That figure covers the months of service disruption, the forensic investigation, the cost of resetting credentials for every employee, and the reputational damage to a public body that millions of Londoners rely on daily. For customers, the breach meant their personal data — including names, addresses, and travel patterns linked to Oyster card usage — was exposed.
The sentencing judge described the pair as "computer-obsessed loners," a characterization that fits a pattern seen in many high-profile cyber crime cases: young individuals with technical skill but poor judgment, often drawn into collectives that provide structure and bravado. The NCA has warned that this demographic represents a growing threat, as the barrier to entry for cyber crime continues to fall.
The TfL case offers several takeaways for organizations that operate critical infrastructure. First, the attack vector — impersonating an employee — is a classic social engineering technique that no amount of perimeter security can fully prevent. TfL's network was breached through a compromised credential, a method that has become the leading cause of data breaches across sectors.
Second, the attackers' ability to stream the hack live suggests that detection and response times were insufficient. A 16-hour window of active compromise, especially one that was being broadcast, should have triggered alarms much earlier. Organizations need to invest in real-time monitoring and behavioral analytics that can spot unusual access patterns, even when the credentials used are legitimate.
Third, the scale of the data exfiltration — millions of customer records — points to a lack of data segmentation and access controls. If the Oyster card database was accessible from the same network segment as the employee credential that was compromised, that is a design flaw. Critical databases should be isolated, with access requiring additional authentication and logging.
Finally, the case underscores the importance of employee training. The initial breach likely began with a phishing email or a credential theft. Regular, realistic phishing simulations and clear reporting procedures can reduce the likelihood of such attacks succeeding.
Scattered Spider is not a traditional organized crime group. It is a loose affiliation of English-speaking hackers, many of them teenagers, who share tools, techniques, and targets. Their attacks have hit major retailers, healthcare providers, and now a public transport authority. The group's success highlights a shift in the cyber crime landscape: the most dangerous threats no longer come from state-sponsored actors alone, but from small, agile groups of young people who are technically proficient and socially reckless.
The NCA's warning about young hackers is not hyperbole. The UK has seen a surge in cyber crime arrests involving minors, and the tools available — from ransomware-as-a-service to AI-generated phishing lures — make it easier than ever for a motivated teenager to cause millions of pounds of damage. The TfL case is a stark reminder that cyber security is not just a technical problem; it is a societal one, requiring better education, mentorship, and early intervention for young people with technical talent.
With Flowers and Jubair now sentenced, TfL will continue its work to rebuild trust and strengthen its defenses. The organization has already implemented mandatory in-person password resets for all employees, a move that, while disruptive, ensures that compromised credentials are flushed from the system. But the broader challenge remains: how to protect critical infrastructure from attackers who are often younger than the security teams trying to stop them.
For the tech industry, the TfL attack should serve as a catalyst for rethinking security architecture. Zero-trust models, multi-factor authentication, and continuous monitoring are no longer optional; they are table stakes. And for the public, the case is a reminder that the convenience of digital services — tapping an Oyster card, checking a train time on an app — comes with a shared responsibility to maintain security hygiene.
The sentencing of two teenagers to five and a half years in prison is a significant legal outcome, but it is not the end of the story. The Scattered Spider collective is still active, and the next generation of young hackers is watching. The question is whether the industry and law enforcement can learn from this case fast enough to stay ahead.
Continue exploring trending topics.
Pakistan refuses UK deportation of Rochdale grooming gang leader Shabir Ahmed, citing legal and jurisdictional grounds.