Exclusive A man has pleaded guilty to hacking low-cost airline Jet2, including an attempt to compromise the CEO's email account.
Scott Burns, of Queen Street, Morley, Leeds, had been charged with eight crimes under the Computer Misuse Act (CMA) 1990.
The 27-year-old, formerly an IT project manager working for Blue Chip Data Systems, targeted the systems of Dart Group plc, the holding company that owns Jet2, package holiday firm Jet2holidays and logistics business Fowler Welch Coolchain.
During a three-week spree in January 2018, Burns accessed the inbox of Jet2.com and Jet2holidays CEO Steve Heapy from various IP addresses resolving to companies including Servatech Ltd as well as "a Plusnet account in the name of Neil Leslie".
Burns sealed his fate when he eventually accessed Heapy's inbox from a Virgin Media account in Burns' own name, as was laid out in the indictment against him at Leeds Crown Court.
Investigators were able to trace that illegal access back to a named desktop computer, with Burns having used two specific accounts to "secure unauthorised access to the computer hosting the domain of Dart Group… from a remote work station".
A Linkedin account in Burns' name has a project entry listed under Accomplishments referring to his carrying out an Office 365 migration for the Dart Group, including "preparation of back end systems to ensure a smooth migration for both the user and for reduced impact to system administrators and helpdesk consultants" for 5,000 users.
Since January 2016 I have been heavily involved with the technical aspect of migrating Jet2.com & Jet2holidays over to Office 365, with a view to continue this for Fowler Welch Coolchain at a later date.
- Careful planning so as to not impact key operational areas of the business.
- Preparation of back end systems to ensure a smooth migration for both the user and for reduced impact to system administrators and helpdesk consultants.
- Delivering the product to the end user, ensuring they're happy from start to finish during the entire migration period.
Last year Jet2 flew over 12 million passengers, making it the UK's third largest registered airline – just ahead of TUI Airlines but some way behind second-placed EasyJet's 80 million-plus.
Blue Chip Data Systems refused to confirm whether or not Burns had ever worked for the firm, though he lists it as an employer on Linkedin.
Four years ago Blue Chip carried out a successful movement of Dart Group's physical IT infrastructure from Bournemouth to its current Leeds base, taking on "the future management of Dart Group's IT system" as noted in a 2015 case study.
A Jet2 spokesperson told The Register: "As legal proceedings are still ongoing, it would be inappropriate for us to make any comment at this stage. However it is important to note that at no point was any personal data or other customer, supplier or Group data compromised, and there was no impact on our distribution or leisure travel operations."
Burns pleaded guilty to six offences under section 1(1) of the Computer Misuse Act 1990 (CMA), one attempted offence under section 1(1) and one offence under section 3(1) of the CMA. He will be sentenced in December and faces a potential 10-year prison sentence and fine, though statistically speaking, he is unlikely to end up behind bars. ®