IT services pro hacked former client’s email

An IT project manager has pleaded guilty to accessing the email account of a former client’s CEO, said reports this week.

According to the Register, 27-year-old Leeds resident, Scott Burns, was charged under the Computer Misuse Act for tinkering with systems owned by Dart Group, which owns the Jet2 airline.

The hapless hacker was reportedly an IT project manager at Blue Chip Data Systems, which offers IT support and managed services. He accessed the email inbox of Steve Heapy, the CEO of Jet2 and its sister company Jet2holidays, although it isn’t clear what Burns was using the information for.

The Register found Burns’ LinkedIn account, which had listed a project entry under ‘Accomplishments’ relating to his work for Dart Group. Apparently, he helped move the company to Microsoft’s Office 365, including preparing back-end systems for a smooth migration of around 5,000 users.

As of yesterday, his LinkedIn account had been scrubbed of any accomplishments, and also didn’t show any employment history, although both Jet2 and Blue Chip Data Systems show up in his interests. He also posted seven months ago as an employee of Pure Technology Group, where he was “really chuffed to have been awarded employee of the quarter”.

According to the indictment, Burns accessed the CEO’s inbox over three weeks in January 2018. He tried to cover his tracks by accessing from different IP addresses. However, he slipped up when he eventually accessed the inbox from a Virgin Media account in his own name. That gave investigators the information they needed to track Burns’ computer, and it was game over.

Accessing a victim’s computer from an identifiable account is a common theme among hackers who get caught. For example, the FBI collared US hacker Kyle Milliken after he forgot to use his VPN to protect his IP address when hacking Disqus.

Are contractors your weakest link?

Contractors could be the weakest link in your security chain, and they should be held to the same levels of security that you expect from your own employees.

From unscrupulous individuals who sneak a peek at your personal data like Burns here, to being tempting targets for hackers, to simply being harder to police. 

As Naked Security writer John Hawes observed in an article about the US Department of Defense’s belated steps to ensure security standards of private sector companies doing business with the military:

Everyone we do business with, share data with, outsource operations to, sell things to or buy things from forms a part of our own security chain. A breach at any point in the chain can have an impact on the privacy and integrity of our data.