Scott Burns, a former employee of a company that offered ICT services to low-cost airline company Jet2, has been jailed to ten months in prison for carrying out cyber attacks against the airline that prevented at least 2,000 employees from logging into their network accounts and accessing their emails.
Burns was sentenced by the Leeds Crown Court to ten months in prison on Wednesday after he admitted to gaining unauthorised access to a domain owned by Dart Group, the owner of Jet2, and removing a critical folder that contained all user account details.
As a result of his actions, at least 2,000 employees at Jet2 were unable to log in to the company's network or access their emails for more than twelve hours. According to BBC, Burn's malicious conduct resulted in Jet2 suffering losses of up to £165,000.
Burns committed the crime in January 2018 even though he was no longer an employee of ICT provider Blue Chip that offered various services to Jet2. According to NCA, Burns attempted to cover his tracks by deleting a programme used by Jet2 that stored detailed logs relating to events and changes on the network.
Burns also hacked into the email account of the CEO of Jet2 to monitor their emails
"Forensic analysis of his computers, along with information provided by Dart Group’s Infrastructure Team, showed that Burns was also responsible for another network intrusion against Jet2 on 3 January – which is believed to have been a scoping exercise, assessing the security of their systems in preparation for his later attack," the NCA said.
"On a number of occasions – once on the 3rd January, during his preparation – and then several times after the attack, Burns also hacked the email inbox of Jet2’s CEO. During interview, Burns admitted that he had illegally accessed the CEO’s inbox “once or twice” to see if anything was being said about the incident – or to see if the company had any evidence of his involvement in the attacks.
"Chat records found on his phone show Burns saying he is “finally sick and tired of BC/Jet2” and he describes leaving Blue Chip as “freeeedom”. On the same phone, he had looked up the prison sentence for network intrusion in the UK on Google," it added.
Burns was arrested by NCA investigators from his residence in Morley, Leeds in February 2018 and subsequently pleaded guilty to eight offences under the Computer Misuse Act in November this year.
Organisations must implement privileged access protocols to prevent unauthorised activities
NCA officer Jamie Horncastle said that not only did Burn's actions have a potential financial impact on Jet2, it caused huge disruption to their staff and technical operations. Evidence secured by Dart Group proved valuable during the investigation and helped law enforcement authorities in zeroing in on Burns.
The fact that an ex-employee at a third-party service provider could gain access to an internal folder owned by Jet2 indicates that not implementing privileged access management can allow malicious insiders to carry out unauthorised actions without getting detected.
In 2017, supermarket chain Morrisons was directed by the High Court in Leeds to pay compensation to 5,518 current and former employees after a former employee leaked personal and financial information of nearly 10,000 Morrisons staff on the web.
The verdict was arrived at after the existing and former employees told the Court that Morrisons was squarely responsible for breaches of privacy, confidence and data protection laws, as well as for exposing them to identity theft.