The man who hacked northern airline Jet2 has been jailed for five months after he posed to hotel staff as a company director, was disciplined, and later went on an alcohol-fuelled deletion spree.
Scott Burns, of Queen Street, Morley, Leeds, previously pleaded guilty to eight offences under the Computer Misuse Act 1990.
Crown prosecutor Rebecca Austin told Court 5 at Leeds Crown Court: "This is a case which involves a disgruntled ex-employee."
In 2017 Burns was working for Blue Chip Data Systems on its Jet2 account. He was dispatched to Benidorm to provide IT cover for a roadshow event. Crown prosecutors said in a note read by the judge that Burns "twice tried to bring back a guest who was not checked into" the hotel he was staying at.
One guest was said to have "reacted violently" to being denied entry, breaking a hotel phone. Burns was said to have lied to the concierge that he was a director of Jet2 and demanded his guest be allowed in. He was later disciplined for this and banned from overseas travel with Jet2.
Austin said: "That seems to be the event that caused Mr Burns to have a grudge."
The 27-year-old, formerly an IT project manager working for Blue Chip Data Systems, went on to target the systems of Dart Group plc, the holding company that owns Jet2, package holiday firm Jet2holidays and logistics business Fowler Welch Coolchain.
He used two machines, one with his own name as the computer's network identity and a second one from the Pure Data Group, Burns' employer after he left Blue Chip. By using a printer service account on the Jet2 internal network domain – referred to in court as "Jet2 MFP" – Burns was able to open a remote desktop session onto Jet2's network in early January 2018, despite having stopped working on its account the previous December.
Having figured out that he could get into Jet2's network, a couple of weeks later – on 18 January 2018 – Burns logged into it again. Jet2 staff immediately "began to experience technical difficulties," as Austin put it.
"The cause of the problems was discovered soon afterwards when it was found that the folder that stored all the user accounts for the network had been deleted," said Austin. Burns had wiped every account on the Jet2 domain, including all the domain administrator accounts.
Except for one. A quick-thinking IT staffer, Jeramy Eling, "was able to create a new profile with administrative rights to escape detection" by Burns, Austin told the court. Without that admin account, the court heard, "repairing the damage was ultimately not possible."
Thanks to the targeted deletion of the entire domain's user accounts, investigators immediately suspected an inside job. Trawling through network logs revealed that an account referred to as Nessus_scan had logged in at 1437 and logged out at 1450. The Jet2 MFP account logged in at 1439 and logged out at 1448.
"Had he not had that prior knowledge of the network, he couldn't have caused the devastation as quickly as he did," said Austin. "There is estimation in relation to the loss of business revenue, of some £165,000."
Burns also deleted logs in an attempt to cover his tracks, as well as using his illicit access to log into Dart Group CEO Steve Heapy's personal email address, something he told The Register that he did because the password was widely known among Jet2's IT staff.
However, he was not successful: "Police were able to trace, using the IP address, a Virgin Media account in the name of Mr Burns. And at his home address," said Austin. Burns also used an account with an IP address that resolved to his then-partner's father. His relationship with his partner "broke down" once Burns was charged.
Michael Walsh, Burns' barrister, said: "He, in discussions with the probation service, referred to his nosiness and curiosity and also refers to the fact that when he committed the main offence here, he was under the influence of alcohol."
Continuing in mitigation for his client, Walsh said: "The Crown's case is accepted in full," while suggesting to the judge that the sentence be suspended. He also referred to one of the two character references for Burns having been submitted by a "serving police officer".
The judge peered at his computer screens. "It isn't from a serving police officer. It's a civilian employee."
Passing sentence, His Honour Judge Andrew Stubbs QC said: "What you intended to do was cause as much damage to Jet2's computer systems as you could."
"It seems plain you are highly to blame. This was a deliberate act with a high level of sophistication and planning. The harm you caused, but for the prompt measures of the employees of Jet2, this would have been disastrous and brought their computer systems crashing down."
"This was a revenge attack for a perceived slight you suffered at the hand of the company who employed you… It would be inappropriate to reduce the sentence for you because of the serious harm you intended."
Burns was sentenced to 10 months in prison for his crime under section 3 of the Computer Misuse Act 1990. On the other seven counts brought under section 1, the judge sentenced him to six months to be served concurrently. Of the 10 months, Burns will serve half in prison and half out on licence in the community.
There is no specific sentencing guideline for Computer Misuse Act offences. HHJ Stubbs said he referred to the generic guidelines as well as the nearest analogy, guidelines for criminal damage offences, when formulating his sentence.
Burns' laptop was ordered to be forfeit and destroyed following an unsuccessful plea for it to be wiped and returned to him.
The defendant was locked into the dock for his sentencing. Wearing a plain dark suit with blue tie and brown shoes, he closed his eyes when it became obvious during the judge's summing-up that he was going to prison. Two women who accompanied him to court tried to catch his eye as he was led away to spend Christmas and New Year behind bars. ®