Sixteen hours, livestreamed, in the last days of August

Between 31 August and 3 September 2024, two teenagers took apart the technology estate of the organisation that moves London, and streamed part of it live while they worked. On 16 July at Woolwich Crown Court, Mr Justice Turner sentenced Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from Bow in east London, to five years and six months each, a term that already carries a 15 percent reduction for the guilty pleas they entered in June. Both were prosecuted for their part in the intrusion at Transport for London, the body responsible for the Underground, the buses and the roads used by millions of people every day.

The National Crime Agency did not describe this as an ordinary case. Paul Foster, the agency's deputy director, called it the largest cybercrime prosecution ever brought before the UK courts, and framed the group behind it as the most significant cybercrime threat to the UK. The pair sit within the loose network that researchers label Scattered Spider, the same cluster associated with the MGM Resorts attack in 2023 and with the wave that hit British retailers in 2025. Jubair alone is accused of compromising 120 networks belonging to 47 United States organisations, activity connected to more than 115 million dollars in ransom payments.

What makes the case worth an hour of any operator's attention is not the sentence. It is the arithmetic underneath it. TfL did not pay a ransom. There was no extortion payment, no negotiation, no cryptocurrency transfer to a group that had already proved it could get in. The organisation refused, recovered, and still booked a bill of about 29 million pounds, roughly 33 million euros. That number is the honest price of this attack, and it is the number that belongs in your own planning, because it is what happens when the answer to the demand is no.

They did not break the door. They phoned the desk

The entry route had no exotic component at all. The attackers acquired partial credentials from criminal forums, the kind of fragmentary material that accumulates from years of unrelated breaches and costs very little. Partial credentials are not access. What turned them into access was the next step: phishing and social engineering aimed at people, and a helpdesk that could be persuaded to reset multi-factor authentication after one of the attackers impersonated an employee. The second factor did what it was designed to do. It was simply handed over by the process that exists to help staff who are locked out.

This is the uncomfortable part, because the failed control does not appear on any architecture diagram. Organisations buy MFA and then record the risk as treated. The residual risk lives in the recovery path, and the recovery path is a human being under time pressure whose job is to be helpful, judged on how quickly the queue clears, and who has no reliable way to prove that the anxious voice on the line belongs to the name on the ticket. Every hardened identity system in the world ships with a soft override, and the override is staffed by someone who is measured on speed.

The forensics show a case built from ordinary things rather than clever ones. An Acer laptop belonging to Flowers held logs of access to remote infrastructure, videos and screenshots of the attack itself, spreadsheets of TfL employee credentials, and cryptocurrency payment records that matched food delivery orders sent to his own address. The same machine carried artefacts linking to intrusions at the American healthcare providers SSM Health and Sutter Health. The people who cost a transport authority 29 million pounds were ordering dinner to the flat they were doing it from.

Twenty-eight thousand people, one queue, no shortcut

Here is where the money actually went. Roughly 28,000 TfL employees had to attend an office in person so that their passwords could be reset by another human who could see their face. Not an email link. Not a self-service portal. Not a call to the desk, because the desk was precisely what had been abused. When the identity system itself is suspect, every remote channel for proving who you are inherits the suspicion, and the only instrument left that an attacker cannot forge at scale is physical presence. That is the cost driver, and it is a logistics problem wearing a cybersecurity label.

Run the arithmetic on your own organisation, because it is unforgiving and nobody does it in advance. Take your headcount. Divide by the number of people you could plausibly identify in person per hour, across every site you operate, on a day when your systems are down and your staff cannot be emailed the instructions. That quotient is your recovery time, and it does not shorten because you bought a better product. TfL's 148 affected systems were the technical scope. Twenty-eight thousand identities were the operational scope, and the second number is the one that set the bill.

The customer-facing tail ran far longer than the intrusion. The attack itself spanned three days at the end of August. Photo travel card issuance did not return until 4 December 2024, more than three months later, alongside disruption to account logins, customer portals, connected third-party applications and ticket machines. Seven million users had information exposed. An intrusion measured in days produced a service outage measured in months, and any board that reasons about downtime from the length of the attack is reading the wrong end of the timeline.

Only the second conviction of its kind

The legal detail matters more than it looks. Flowers and Jubair were convicted under Section 3ZA of the Computer Misuse Act 1990, the provision reserved for unauthorised acts causing, or creating the risk of, serious damage of a material kind. This is only the second conviction ever secured under that section. For 35 years the Act has mostly delivered charges for unauthorised access and impairment; the serious-damage limb has been close to theoretical. It is now demonstrably usable, and it was used on an attack against transport rather than against a hospital or a power station.

Read that as a signal about where British prosecutors think the line sits. Section 3ZA exists for consequences to the physical world and to national life, and a public transport network qualified. Any operator whose failure would interrupt the ordinary functioning of a city should assume the same reasoning applies to an attack on them, which cuts in a useful direction: the state now treats an intrusion into that kind of infrastructure as a serious-damage offence, and it is willing to spend years building the case that proves it.

It also sets a marker on deterrence that owners should read honestly. Five and a half years for 29 million pounds of damage and seven million exposed records is a real sentence, arriving nearly two years after the attack, against two people from a network that continued operating throughout. Prosecution is a consequence, not a control. It punishes the people who did it long after your recovery is complete and your money is spent, and nothing in this judgment would have shortened TfL's queue by a single hour.

Four questions for your own service desk this week

Can your helpdesk reset multi-factor authentication on the strength of a phone call? If yes, you have TfL's vulnerability, whatever your security stack costs. The fix is procedural rather than technical: require a verification path the caller cannot supply from stolen fragments, such as confirmation through a manager on a known-good channel, a video check against a personnel record, or physical attendance for privileged accounts. It is slower and staff will complain. That complaint is the control working.

How long does it take you to re-identify everyone? Do the division. If the answer is longer than a fortnight, decide now which roles get re-established first, because on the day you will be doing that triage in a hurry with an executive standing over you. Write the order down while it is calm and boring, and keep it somewhere that survives the loss of the systems it describes.

What breaks for your customers, and for how long after you are clean? TfL's internal recovery and its public recovery were different events, three months apart. Identify the processes that touch customers and depend on data you would have to rebuild or re-verify, and price those separately from your technical restoration. That is where the reputational damage lives, and where the number stops looking like an IT cost and starts looking like revenue.