Skip to content
← All news
5 min read

Two teenagers social engineered a helpdesk and took down London's transport network

Owen Flowers, 18, and Thalha Jubair, 20, are each jailed for five and a half years for the 2024 cyberattack on Transport for London. The way in was a phone call to a helpdesk worker, not a technical exploit.

Two UK teenagers took down Transport for London with one phone call to a helpdesk. It cost 29 million pounds.

Owen Flowers, 18, and Thalha Jubair, 20, were each jailed for five and a half years for the 2024 cyberattack on Transport for London: a hack that cost 29 million pounds, stole personal data on millions of users, and forced all 27,000 TfL staff to reset their passwords in person. The way in was a phone call to a helpdesk worker.

What actually happened

The pair, tied to the cybercrime collective Scattered Spider, gained initial access by tricking a phone helpdesk worker into resetting credentials, not through a technical exploit against TfL's systems. From there the attack disrupted TfL's online services for months and streamed the 16 hour intrusion live.

The part worth sitting with

TfL is critical infrastructure with a real security budget, and the compromise still started with a single phone call, not a zero day. The technical systems were not the weak point. A person with the authority to reset a credential, working from a script that trusted a caller's claimed identity, was.

Why a build studio cares

Every auth flow we wire up for a client has a human fallback somewhere: a support desk, an admin reset tool, an account recovery email. Those are usually the least tested part of the system, because the engineering effort goes into the technical login flow instead. This case is the cost of that gap made concrete: 29 million pounds, months of disruption, and a password reset for 27,000 people, all downstream of one helpdesk call.

Next step: read LBC's coverage of the sentencing. If your build's support or recovery flow has never actually been tested against a social engineering attempt, write to us at hello@gattyworks.com.

SecurityInfrastructureEuropeScatteredSpiderTfLCyberSecuritySocialEngineeringUKLondonDataBreachInfrastructureSecurityHelpdeskSecurityCriticalInfrastructure

Ready to ship?

Send a brief. You will get a written reply, a fixed quote, and a delivery date within 24 hours. If we miss that window, the website fee on your first project is refunded in full.

Average reply under 4 hours. Always inside 24.