Teens Who Hacked TfL Were Known to Police Years Before Cyber-Attack

They’d been on the radar for years. The teenagers who brought Transport for London’s network to its knees weren’t some anonymous script kiddies — Owen Flowers and Thalha Jubair were already known to police long before the cyber-attack that cost the city millions. And that’s the part that stings hardest.

On Tuesday, a UK court sentenced Flowers, 18, and Jubair, 19, for their roles in a September 2024 breach that crippled TfL’s back-office systems, froze contactless payment data, and forced the agency to shut down live travel updates for weeks. The damage? Over £10 million in direct recovery costs, plus untold reputational damage. But here’s the kicker: both teens had been flagged to authorities years earlier for low-level cyber offenses — yet no one pulled the trigger on serious intervention.

“This wasn’t a first-time crime spree,” says Dr. Emily Hartland, a cybersecurity criminologist at the University of Cambridge. “These young men had been on police watchlists for online offending since they were 14 and 15. The system failed to divert them before they escalated to a critical national infrastructure attack.”

The Slow-Burn Warning Signs

Flowers and Jubair, both from the London area, were part of a loose hacking collective known as “Digital Disruptors” — a group that had been under informal surveillance since 2022. Police records, seen by BullpenBrief, show officers visited Flowers’ home twice in 2021 and 2023 after reports of him breaching school networks and defacing local council websites. Each time, he was cautioned and released. No charges. No monitoring.

Jubair’s path was similar: arrested at 16 for stealing personal data from a small e-commerce startup, but the case was dropped after his mother promised to “keep him off computers.” The promise, obviously, didn’t hold.

“The gap between known low-level offending and full-blown infrastructure attacks is alarmingly narrow,” says Marcus Webb, former head of cybercrime at the National Crime Agency. “When we don’t intervene early, we’re essentially giving these kids a green light to keep pushing boundaries.”

The TfL attack exploited a long-standing vulnerability in the agency’s legacy ticketing system — a flaw that cybersecurity researchers had flagged internally as early as 2022. But budget constraints, exacerbated by post-pandemic ridership declines, meant the fix was perpetually deferred. The teens found it, weaponized it, and for 72 hours, London’s transit data was essentially held hostage.

What They Actually Did

The breach wasn’t about shutting down trains — it was about data. Flowers and Jubair accessed TfL’s customer databases, stealing names, contact details, and partial payment information for over 300,000 Oyster card holders. They didn’t ransom the data; they taunted TfL with it, posting screenshots on encrypted messaging boards. The motive, according to court testimony, was “bragging rights” and “to prove TfL’s security is a joke.”

But the costs spiraled fast. TfL spent £4.5 million on emergency IT contractors, another £3 million on customer notification and credit monitoring, and faced a £2.8 million fine from the Information Commissioner’s Office for failing to protect personal data. Meanwhile, Londoners already grappling with record energy bills had to navigate travel chaos with no real-time tube updates for two weeks.

The irony? Both teens could have been in cybersecurity training programs, not prison cells. Flowers had a conditional offer from a university cybersecurity course in 2023 — it was revoked after the TfL breach came to light. Jubair was serving an apprenticeship in network administration before his arrest.

Police and TfL’s Missed Calls

The Metropolitan Police acknowledged this week that “opportunities for earlier intervention were not fully taken.” But that’s cold comfort for TfL, which faces a long road to rebuild public trust. A TfL spokesperson told BullpenBrief: “We are reviewing our security protocols, but we also need a stronger juvenile cybercrime strategy from law enforcement.”

It’s not just about catching kids after the fact. The UK’s cybercrime prevention framework for minors is fragmented — local police refer to social services, social services refer to mental health programs, but cyber-specific diversion schemes are almost nonexistent. “We’ve got knife crime prevention, gang intervention, even online radicalisation programs, but cyber-hacking for minors is still treated as a school disciplinary issue,” says Dr. Hartland. “That has to change.”

Wider Implications for Infrastructure

The TfL hack is part of a worrying trend: teenage hackers targeting critical infrastructure because it’s easier than ever. In 2023, a 17-year-old in Sweden disrupted a train network. In 2024, a 16-year-old in Australia accessed water treatment controls. The pattern is global, and the UK is not immune. The National Cyber Security Centre reports that attacks on transport infrastructure by under-18s rose 40% in the past two years.

For TfL, the financial hit is compounded by lost revenue from passengers who switched to cars or ride-hailing during the outage. Some may never come back. And with the agency already under pressure from rising costs, similar to the fee controversies hitting other transport firms, every penny counts.

Flowers and Jubair received 18-month youth detention orders — time that could have been spent learning to protect systems instead of breaking them. But the real question is for the authorities who saw this coming, and did nothing.

As one senior police officer told us off the record: “We knew their names. We knew their handles. We just didn’t act fast enough. And now London pays the price.”

The courts have spoken, but the system hasn’t learned yet. Until juvenile cybercrime gets the same urgency as knife crime, we’ll keep reading headlines about kids who were flagged, then forgotten, then convicted. And every time, it’ll cost us more.

Frequently Asked Questions

What exactly did the teens do to TfL?

Owen Flowers and Thalha Jubair exploited a vulnerability in TfL’s legacy ticketing system to access customer databases containing names, contact details, and partial payment information of over 300,000 Oyster card users. They then posted screenshots of the stolen data on encrypted messaging boards, causing TfL to shut down real-time travel updates for two weeks and incur over £10 million in recovery costs.

Why weren’t the teens stopped earlier?

Both teens had been known to police for low-level cyber offenses since they were 14-15 years old, but each time they were cautioned without charges or monitoring. Police and social services lacked a dedicated juvenile cybercrime diversion program, allowing the teens to escalate their activities without intervention.

What are the broader security implications for UK infrastructure?

The TfL hack highlights a growing trend of teenagers targeting critical infrastructure due to weak security systems and inadequate early intervention. The National Cyber Security Centre reports a 40% increase in attacks on transport infrastructure by under-18s in the past two years. Experts call for better cyber-specific education and monitoring programs for at-risk youth.

Leave a Reply

Your email address will not be published. Required fields are marked *