Two teenagers social engineered a helpdesk and took down London's transport network
Owen Flowers, 18, and Thalha Jubair, 20, are each jailed for five and a half years for the 2024 cyberattack on Transport for London. The way in was a phone call to a helpdesk worker, not a technical exploit.
Two UK teenagers took down Transport for London with one phone call to a helpdesk. It cost 29 million pounds.
Owen Flowers, 18, and Thalha Jubair, 20, were each jailed for five and a half years for the 2024 cyberattack on Transport for London: a hack that cost 29 million pounds, stole personal data on millions of users, and forced all 27,000 TfL staff to reset their passwords in person. The way in was a phone call to a helpdesk worker.
What actually happened
The pair, tied to the cybercrime collective Scattered Spider, gained initial access by tricking a phone helpdesk worker into resetting credentials, not through a technical exploit against TfL's systems. From there the attack disrupted TfL's online services for months and streamed the 16 hour intrusion live.
The part worth sitting with
TfL is critical infrastructure with a real security budget, and the compromise still started with a single phone call, not a zero day. The technical systems were not the weak point. A person with the authority to reset a credential, working from a script that trusted a caller's claimed identity, was.
Why a build studio cares
Every auth flow we wire up for a client has a human fallback somewhere: a support desk, an admin reset tool, an account recovery email. Those are usually the least tested part of the system, because the engineering effort goes into the technical login flow instead. This case is the cost of that gap made concrete: 29 million pounds, months of disruption, and a password reset for 27,000 people, all downstream of one helpdesk call.
Next step: read LBC's coverage of the sentencing. If your build's support or recovery flow has never actually been tested against a social engineering attempt, write to us at hello@gattyworks.com.