Why the TfL Hack Proves Cyber Security Is Focused on the Wrong Threat

Why the TfL Hack Proves Cyber Security Is Focused on the Wrong Threat

You probably think the biggest threat to your company's data is a sophisticated state-sponsored military hacking unit. It isn't. The real threat might just be a couple of bored teenagers sitting in their bedrooms eating takeaway food and bragging on Telegram.

Look at what just happened in London. Two young hackers, Owen Flowers, 18, and Thalha Jubair, 20, were just sentenced at Woolwich Crown Court to five years and six months in prison each. They completely crippled Transport for London (TfL) in a massive 2024 cyber attack.

It didn't take millions of dollars or military-grade malware. They basically used social engineering, tricked a help desk, and walked right into the heart of London’s transport infrastructure.

The numbers are staggering. The attack cost TfL an estimated £29 million ($39 million) in losses and recovery costs. All 28,000 employees had to physically walk into an office to reset their passwords in person. 148 internal systems went offline.

Disabled and elderly passengers couldn't book rides because the Dial-a-Ride system crashed. Children couldn't apply for discounted travel passes. The National Crime Agency (NCA) noted that if the hackers had executed a complete network shutdown, the wider economic damage to London could have hit £56 billion.

It’s terrifying. It also shows a massive flaw in how most organizations handle security.

How Two Teenagers Stole the Keys to the Kingdom

Flowers and Jubair were part of Scattered Spider. It’s a loose collective of English-speaking hackers famous for targeting corporate giants, casinos, and tech firms. They don’t rely on zero-day exploits. They exploit humans.

The TfL attack started with a simple phone call. A co-conspirator rang up the internal TfL help desk, pretended to be an employee, and convinced the support staff to reset a password. That was it. Once inside that single account, the duo spent 16 straight hours working through the night to escalate their privileges. They created a domain admin account. In the words of prosecutors, they gained "the keys to the kingdom."

They didn't even try to hide it. They literally livestreamed parts of the compromise to their buddies and shared screenshots in an online workspace.

This isn't an isolated incident. Before getting caught, Flowers was busy attempting to breach US healthcare providers like SSM Health and Sutter Health. Jubair already had 22 previous youth convictions, including hacking BT/EE, Nvidia, and even the City of London Police.

The Clout Culture Driving Modern Cyber Crime

Most corporate security training assumes hackers want corporate secrets or intellectual property. Scattered Spider hackers are different. They want money, sure, but mostly they want clout. The judge in the case noted they were primarily motivated by "selfish bravado."

They accrued millions of dollars in cryptocurrency. In fact, a seized server linked to them held $36 million. But they also made incredibly stupid, arrogant mistakes because they felt invincible. Jubair was ultimately identified partly because he ordered a takeaway meal to his family’s council flat using vouchers bought with a crypto wallet linked to the hacker server.

Even after being caught and remanded, they didn't stop. Authorities found hidden electronic devices inside their prison cells. Messages recovered from Flowers showed him bragging about how he’d only get a couple of years, claiming he was studying law on the side and researching the judges he might get. He was even actively searching for ways to log into the Ministry of Justice and Crown Prosecution Service networks from his cell.

Why Your Technical Defenses are Failing

You can spend millions on firewalls, encryption, and threat detection algorithms. If your IT help desk can be tricked by a smooth-talking teenager over the phone, your defenses are worthless.

Scattered Spider’s entire playbook relies on bypassing multi-factor authentication (MFA). They do this through SIM swapping, setting up fake single sign-on pages, or bombarding employees with MFA prompts until they click "approve" out of sheer annoyance. But their favorite entry point is the IT help desk. Help desks are staffed by people trained to be helpful. Hackers weaponize that helpfulness.

To protect your organization right now, you need to change how you handle internal identity verification.

Stop allowing help desk staff to reset passwords or MFA tokens based on a phone call alone. Implement a strict out-of-band verification process. If an employee calls to reset a credential, the help desk must verify them through a pre-approved secondary manager channel or a live video check.

Train your support staff to recognize social engineering tactics. Give them the authority to say no and hang up if something feels off. Run simulated social engineering tests specifically targeting your internal IT support lines, not just generic phishing emails to your sales team.

The TfL attack ended only when the organization took the desperate measure of completely disconnecting its networks from the internet to kick the intruders out. Don't wait until you're forced to pull the plug on your own business. Review your help desk authentication policies today.

JG

Jackson Gonzalez

As a veteran correspondent, Jackson Gonzalez has reported from across the globe, bringing firsthand perspectives to international stories and local issues.