Two men have been sentenced to prison for orchestrating a cyber-attack on Transport for London’s online systems.

The sentencing highlights the severe legal consequences for targeting critical infrastructure and the financial vulnerabilities of public transit networks.

Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to the attack during a hearing at London Crown Court in Westminster. The proceedings concluded on the second day of a two-day sentencing hearing in March 2024 [1]. Both men were sentenced to five years and six months of imprisonment [2].

The court said the breach was aggressive. The total financial impact on TfL is estimated at £39 million [3]. This figure includes £29 million in damages resulting from service disruption and operational work, along with £10 million in other costs [4].

While the actual losses reached millions, some reports indicated the potential for wider devastation. One estimate suggested that £56 billion of catastrophic damage could have been caused [2]. However, other reports noted that the attack did not cause wider disruption to the broader transport networks [3].

The case underscores the risk posed by young actors capable of inflicting multi-million-pound losses on city infrastructure. The judicial response reflects a move toward stricter penalties for cyber-crimes that threaten public services.

Two men have been sentenced to prison for orchestrating a cyber-attack on Transport for London’s online systems.

This case demonstrates the high cost of cybersecurity failures in public infrastructure. The disparity between the actual cost of £39 million and the theoretical potential for £56 billion in damage illustrates the 'near-miss' nature of many cyber-attacks, where the scale of disaster is often limited by chance or rapid mitigation rather than the lack of attacker capability.