back to article IT consultant who deleted every account on UK company Jet2's domain cops 5 months in jail

The man who broke into northern airline Jet2's systems has been jailed for five months after he posed to hotel staff as a company director, was disciplined, and later went on an alcohol-fuelled deletion spree. Scott Burns, of Queen Street, Morley, Leeds, previously pleaded guilty to eight offences under the Computer Misuse Act …

  1. Dwarf

    Good

    People like that give the profession a bad name.

    I hope he likes flipping burgers for the rest of his life since nobody is going to let him near their IT systems with a history like that

    You have to wonder though, why the printer service account had logon interactively permissions, if it was correctly configured then the attack would not have been successful through that route.

    1. sbt
      Pirate

      ... with a history like that

      Until the conviction is spent and he can hide it.

      This is why I don't agree with spent convictions as currently in force; there are other occupations to take up post release/sentence but I think it's fair to permanently disqualify convicted persons from positions of trust, in the financial, legal, medical and other professional areas, even if it's only by not allowing them to be forgotten.

      1. IGotOut Silver badge

        Re: ... with a history like that

        Spent convictions just mean you don't have to declare them. For many of things you mention, a DBS check is required and will flag them up.

        Add to that have having millions of people potentially unemployable is hardly a great solution is it.

        The very idea, and a a well proven one, is that people that are able to contribute to society and get self fulfillment are far less to reoffend than those thrown on the scrap heap

        1. sbt
          Alert

          far less [likely] to reoffend

          Why not eliminate temptation? I'm not saying actually ban people (although disqualification applies in the medical field, and corporate directorships, for example), but allow others to do their due diligence and make a decision to hire/engage/do business with/monitor these folks based on the facts. At least let them earn back the trust, rather than just assume it.

          Checks don't apply when you hang out a shingle and start selling a lot of services direct to customers.

          Two recent Google RTBF cases both involved folks that appeared to want to get back into the industries/sectors/roles they fell short in previously and google searches (they claimed) were preventing them from doing so. The apparent lack of remorse did not suggest they'd learn their lesson.

          As you say, the released need to re-enter society and contribute/sustain themselves. That is in everyone's interest. But they should be able to earn a living doing something else requiring less risk and trust, that doesn't involve being entrusted with client's life savings. It's not an all-or-nothing, scrap-heap or straight back to the top(?) of their prior profession situation.

          1. gyaku_zuki

            Re: far less [likely] to reoffend

            I disagree - we have to allow people to properly reform. To me, the most likely reason he'd reoffend in this kind of way is bitterness about being turned away from any IT job ever (which is clearly his trained career path) for this.

            Is it impossible to say that he's "learned his lesson" and therefore, given the punishment accrued, is less likely than average person to do this again? I am not sure we can consider recidivism of IT crime as the same as more common crimes, its not the same socio-economic profile and motives.

            Telling him to reboot his life and train in something else, because he can never be trusted again, ever, is a pretty poor incentive to reform and return to being an upstanding contributing member of society.

            1. sbt
              Stop

              I'm *not* saying 'because he can never be trusted again'

              IT practitioners are given massive amounts of trust to do their jobs; as system administrators, they can have access to all of an organisation's most sensitive information, and they can exploit that access for financial gain (e.g. the other recent report here on insider trading) or wreak havoc, as in this case. Developers get access to personal customer data (some medical/financial/HR depending on the org) in the course of testing and bug-fixing. Misconduct by IT professionals hurts us all.

              I'd prefer to avoid the licencing approach taken elsewhere which would bring background checks into play for everyone and make the spending of convictions irrelevant even though that would seem to achieve my purpose. Since convictions aren't spent immediately anyway, there's still an issue for the convicted to not have to 'reboot' as you say and licensing with background checks would make it worse for them than at present.

              Again, as commented elsewhere, bias against the rehabilitated needs to be addressed and people should be given a chance to regain trust, under supervision, and pass the 'attitude test'. Some people may never be able to do so, but that's OK, we're all better off if they don't work in IT. So-called 'white collar' crime is not taken as seriously as 'more common crimes' you mention, but can have devastating consquences for the victims, who are not always just faceless corporations with insurance, but are real people who often lose their assets, jobs, privacy or even just dignity when defrauded, harassed or have their personal information leaked.

              I'm concerned about incentives to reform, too. It seems bizarre that in say, the case of a person convicted of fraud, they are effectively told, "You lied, lying is wrong, go to prison, but after you get out, after a while, you can lie about this".

              1. Version 1.0 Silver badge

                Re: I'm *not* saying 'because he can never be trusted again'

                ""You lied, lying is wrong" but he could get a job in parliament or become mayor of a large city.

            2. Anonymous Coward
              Anonymous Coward

              Re: far less [likely] to reoffend

              So. .... Let him work again in IT because if we don't here might get bitter and offend again?

              Really?

          2. Cynic_999

            Re: far less [likely] to reoffend

            This type of thinking would justify putting a lifetime driving ban on anyone who got a speeding ticket. After all, many people have no remorse when convicted of speeding, and so it would remove the temptation to re-offend ...

            Meanwhile back in the real World, if you make it difficult or impossible for a person to earn a reasonable and honest living, they are likely to seek dishonest ways of making money. In most cases the assumption should be that the criminal has "learned their lesson" and will prefer to live within the rules of society if they can.

            However it depends whether the ultimate goal is to reform criminals and so reduce the total number of crimes, or whether it is to cause them the maximum hardship for revenge and spite without worrying about what effect that may have on their future behaviour (or indeed the effect on their entirely innocent family).

            1. sbt
              Alert

              I'm *not* for 'the maximum hardship for revenge and spite'

              No, again as I've replied elsewhere, not asking for more bans or more punishment for spite. It's not about misdemeanours (e.g. speeding tickets). This is about information and still allows people to earn back trust, and not have it assumed. By the way, dangerous drivers will earn a long or lifetime ban in some jurisdictions, and I'm OK with that considering the consequences that bad driving can lead to. It's really easy not to speed, if people will take responsibility for their conduct. Here's an example where I disagree with the leniency shown.

              There's a common theme in responses to my comments in this topic; people seem to take my comments to mean I want more punishment for the convicted, to destroy their lives and careers, etc. I'm not about that at all; it is definitely better all round if on release/discharge they are able to resume a normal, law-abiding life and career. I'm suggesting a better risk management approach that re-balances the scale towards the innocent and the victims; again it's about information.

              I'd be happy to see more education for the public, by the way, about the success stories for rehabilitation and reduce the bias against dealing at all with people over historical convictions. I don't think hiding the facts is the best way to solve this problem. We don't take this approach in respect of other discrimination issues and suggest people hide the ethnic, sexual or other aspects of their identities or personal histories that lead to discrimination; there are laws and there is discussion and some progress in these other areas has been made. We should really do the same in this case.

              How about as a compromise, instead of the automatic spending of convictions after the same fixed timeframe in all cases, the behaviour of the convicted person afterwards is taken into account; e.g. a timeframe can be recommended to the judge by the prosecution based on trial and pre-trial conduct, set as part of sentencing and then reviewed/adjusted by parole board based on post-trial conduct? Or at least a mechanism to delay the spending of convictions for poor conduct?

              1. lucki bstard

                Re: I'm *not* for 'the maximum hardship for revenge and spite'

                All theory, appears written by someone who hasn't ever worked with people who have dealt with the criminal justice system.

                Take off the rosy glasses the reality is awful.

                What do you want? Someone who will be able to work and pay taxes or someone who gets a dead end job at best and costs the state more?

                I'm also still curious about how a company passes it's audits with such a poor setup.

        2. Alan Brown Silver badge

          Re: ... with a history like that

          "The very idea, and a a well proven one, is that people that are able to contribute to society and get self fulfillment"

          Only if he stays sober.

      2. robidy

        Re: ... with a history like that

        That's vindictive.

        You assume he can't be reformed without trying.

        The sentace is the punishment.

        1. sbt
          Facepalm

          The sentence is the punishment

          True, but I'm not arguing for more punishment, rather, for the protection of the public (which is one function of the justice system) and reducing the risk of recidivism.

          1. Cynic_999

            Re: The sentence is the punishment

            "

            True, but I'm not arguing for more punishment, rather, for the protection of the public (which is one function of the justice system) and reducing the risk of recidivism.

            "

            In which case you would no doubt welcome a mandatory life driving ban for the first speeding offence. After all, how could we trust the person to ever drive safely again? If it saves just one child ... yada yada.

            What people with the mindset you describe never seems to understand is that *it is not a zero-sum game*.

            Also, I'm not sure what an ordinary member of the public actually needs protecting from in this case.

            1. sbt

              The straw man strikes again

              In which case you would no doubt welcome a mandatory life driving ban for the first speeding offence.

              No, come on. I have not suggested anything of the kind. That is a disingenous suggestion. I've commented earlier on the treatment of 'misdemeanours'. Driving is a bad example in any case, because it's licensed conduct and the licence can be withdrawn/suspended.

              The discussion on spent convictions is not about bans, and I'm trying to suggest a balance between licencing everything, universal background checks and the kind of creeping social credit score approach of the CCP, with maintaining trust in society and managing risks of recidivism.

              What people with the mindset you describe never seems to understand is that *it is not a zero-sum game*

              Be honest, you mean me. I am a person with this mindset, surely, in your view. Sure, some aspects of life are a 'zero-sum game'. Whether games are zero-sum is no moral judgement. To the extent that societies are constructed by trading off total freedom of conduct on one side with the protection from harmful conduct on the other, I guess you could consider that a zero-sum game.

              As a small-l liberal and pluralist, I'm for the maximum possible freedom of action, but that's tempered with the need to impose some fairly basic and frankly not at all onerous responsibilities on all members, to not harm others. For convenience and predictibility, some are kind of arbitrary, like which side of the road you drive on. There is no right or wrong, only right or left and the main thing is to agree which.

              Also as a practical matter, there must be some mechanism to address failure to carry out the responsibilities, proportional to the harm done and risk of further harm. Reasonable people can can and do disagree about the balance of interests between those that fail and their victims (or potential victims). If that's what you meant by 'zero sum game' mindset, I think that's not true of mine. I'm not just arguing more strongly for 'the rest' in this case, but for a better approach to discrimination and bias against those that fail, as well as better risk management for the rest. I've also argued elsewhere for other reforms that would shrink the area where a responsibility exists and legal sanctions apply (e.g. drug possession).

              Also, I'm not sure what an ordinary member of the public actually needs protecting from in this case.

              See my reply to your other comment above about the particular trust needed in IT practitioners for them to work effectively. In this particular case, the members of the public who are the other employees or customers of Jet2 whose work with or business with Jet2 would have been disrupted by the hack (if it hadn't been mitigated by the other admin).

              1. Cynic_999

                Re: The straw man strikes again

                "

                What people with the mindset you describe never seems to understand is that *it is not a zero-sum game*

                Be honest, you mean me. I am a person with this mindset, surely, in your view.

                "

                Yes, I meant you as well as many others who think the same way. And as it is a mindset that you yourself expressed, I certainly do believe that you hold it.

                "

                If that's what you meant by 'zero sum game' mindset

                "

                I was thinking more of the effects a punishment has on people who are completely innocent and uninvolved. When you send a person to prison or effectively prevent a person from earning a reasonable living, that person's dependents are also punished, and by becoming an unnecessary burden on society, the lives of many others who have to compensate are also affected. If a person gets a speeding fine and as a consequence can no longer afford to buy his child the bicycle that was promised for Christmas, who is getting punished?

                In many ways "barbaric" physical punishments such as whipping or the stocks are far more fair because they have little negative effect on innocent people.

      3. Anonymous Coward
        Anonymous Coward

        Re: ... with a history like that

        Not that straight forward. Mate of mine has a minor drugs conviction from 30 odd years ago. Spent conviction or no, this has screwed with applying for virtually all jobs.

        Two lessons, 1) don’t do drugs and 2) forgive and forget is dead in the Information Age.

        1. sbt
          Alert

          Your lessons are an argument for legal reform of a different kind

          I drew different ones:

          1) It would be fairer to treat "victimless" crimes differently. Mere drug possession should be a misdemeanour, if at all;

          2) Forgiveness is one thing, forgetting, another. I'd still argue that betrayals of trust ought to be on record. Would you want a sex offender convicted of a minor assault years earlier to be employed in your kid's school because the conviction was spent? What about a fraudster who made off with a dozen OAPs' life savings setting up as a salesperson for timeshares in your parent's home town?

          1. Cynic_999

            Re: Your lessons are an argument for legal reform of a different kind

            "

            Would you want a sex offender convicted of a minor assault years earlier to be employed in your kid's school because the conviction was spent?

            "

            I would say that a person convicted for, say, groping a woman while drunk in a single's bar presents no more risk to your kid than any other random male. Probably less in fact, because he would be all too aware of the consequences of "crossing boundaries".

        2. mgs_84

          Re: ... with a history like that

          Does every job they apply for require enhanced DBS?

        3. ITMA Silver badge

          Re: ... with a history like that

          The problem with point 1 - "don't do drugs" - is it leads you into that "can of worms" debate about "recreational drugs", what is and isn't?

          It's a via biased "moral" question when alcohol and nicotine are almost always excluded when, if fact, they ARE both recreational drugs.

        4. Anonymous Coward
          Anonymous Coward

          Re: ... with a history like that

          I have spent convictions, all from my late teens/early 20's. Those are for drugs, fraud, theft and similar. Now I'm not far off 40, I hold a good job, I am honest, I pay my taxes and I look after my family. Without the Rehabilitation of Offenders act there is no way any employer would allow me in the door to come and explain myself, with it though I am the same as anyone else and when I go to prospective employers they judge me based on the person they see in front of them and not a mis-spent childhood. Everyone deserves the opportunity to better themselves, those who are willing will take it and those who are not will make themselves apparent.

    2. robidy

      Re: Good

      Whist what he did deserved the sentace...I worry his sucessors may never learn basic security.

      Printer accounts don't need remote logon or admin access.

      1. Peter X

        Re: Good

        Also completely agree with the sentence, but also agree Jet2 need to look at their IT strategy. I was concerned at this bit:

        Without that admin account, the court heard, "repairing the damage was ultimately not possible."

        So, presumably no disaster recovery plan?

        1. Pascal Monett Silver badge

          How can you recover if you no longer have any access to the network ?

          A real question for the networking companies.

          1. Not Entered

            Bare metal restore using off-site backups of the domain controller ?

        2. Tom 7

          Re: Good

          I can think of a dozen places I've worked at where, despite it being relatively simple to implement sensible logical manageable security, management have always overridden the possibility to get something done to 'show off' to colleagues or customers. Rather than wait 10 minutes for things to ripple through safely, transactions be completed etc when they want to be flash they want to do it NOW so the system has to be set to allow that. And they always pass the buck verbally so by the time you turn up with their signed instructions to do what you advised against you're still guilty in everyone else's eyes.

          1. Anonymous Coward
            Anonymous Coward

            Re: Good

            why change management is there. Trouble happens when change becomes tiresome and hinders working then people do things to get around the change process

      2. Not Entered

        Re: Good

        What's a sentance ?

        1. gazthejourno (Written by Reg staff)

          Re: Re: Good

          Neither a sentace nor sentence. Hope this helps.

      3. EveryTime

        Re: Good

        "Printer accounts don't need remote logon or admin access."

        They shouldn't, but do you know for certain that they don't? For all brands of printers, with all types of "value-add" bogosity that manufacturers stuff in the software?

        It often comes down to who gets the blame if you shut off that access and something critical stops working. In an environment where money is immediately lost if part of the infrastructure stops working, it's easy to understand why that configuration wouldn't be changed.

      4. Cynic_999

        Re: Good

        Maybe he was the person who set up the printer account for the very purpose of providing him with a "back door" if needed? He certainly must have known about it, otherwise he would not have known to use it.

    3. macjules

      Re: Good

      "People like that give the profession a bad name."

      I think you might well find that the reputation of the IT profession sailed South many years ago and in the UK he just has to wait 5 years before his DBS record is expunged at the basic level. Perhaps the addition of being ordered to pay £165,000 in compensation and to attend counselling for his anger problems might have been a more appropriately severe penalty.

      1. Alan Sharkey

        Re: Good

        His DBS record is never expunged. Information on convictions from many many years ago is still there - I know this as someone who does DBS stuff.

        1. mgs_84

          Re: Good

          Historic spent offices with a few exceptions, are automatically filtered , even on an enhanced DBS, unless you have more than one conviction. Basic DBS doesn't show any spent convictions.

    4. Ian Johnston Silver badge

      Re: Good

      People like that give the profession a bad name.

      You obviously don't know the reputation of corporate IT departments.

    5. What did she say?

      Re: Good

      He will be lapped up by a company offering red team services no doubt.

    6. Anonymous Coward
      Anonymous Coward

      Re: Good

      He will probably just start doing the contractor thing. How many companies do detailed vetting on contractors, particularly on short term contracts? If he changes his name so this story doesn't flash up all over a Google search then I think the chances of him being found out are low.

      I am a former contractor who became staff at one of my customers. During the recruitment process the company insisted on a deep dig vet into my background, references and financials, including checking all my school and university qualifications decades earlier were genuine to "protect company assets and reputation." They were unable explain why these things were suddenly necessary when I had been working in the same role for over 5 years as a contractor with no checks. If I was intent on mayhem, I had already had ample opportunity.

      1. Korev Silver badge
        Pirate

        Re: Good

        Not forgetting the organisations that heavily vet staff; but outsource everything giving some stranger in Elbonia full access to their networks and systems...

  2. Anonymous Coward
    Anonymous Coward

    All so plausible

    Does anyone think they've never worked anywhere where this sort of thing would be possible?

    Or indeed anywhere at all where it would *not* be possible?

    I reckon most of the places I've been would have some equivalent of this sort of account if a determined admin put their mind to it.

    1. Anonymous Coward
      Anonymous Coward

      Re: All so plausible

      Yeah, Royal Mail, when all I had to do was put letters in boxes.

      1. Cynic_999

        Re: All so plausible

        "

        Yeah, Royal Mail, when all I had to do was put letters in boxes.

        "

        After extracting any £50 notes you found inside birthday cards???

  3. Davegoody

    A very stupid thing to do.......

    When I left an ex-employer a good few years ago, it was 18 months later that I realised I still had cached credentials to the email and hosting setup that I implemented during my time as their IT manager. They were a HORRIBLE employer, and anyone who knows me knows who they are, so I won't mention them here. I could have wreaked similar levels of havoc on their systems very easily, but didn't for a number of reasons:

    1) They would know that it was me

    2) I would end-up in prison

    3) I am a reasonable human-being who bears no ill-will to the other employees at the business

    4) Life is too short to bear these sorts of grudges.

    5) I quite like the fact that I have moved-on to MUCH better and bigger things since leaving their employment, which would have been impossible to do with a criminal record.

    As much as it's tempting (too tempting in the case of this guy) it's just not worth it. As anyone who works in IT knows, we hold the keys to the business, and if we screw-up, accidentally, or like with the above story, on purpose) there is often a lot at stake.

    1. Giles C Silver badge

      Re: A very stupid thing to do.......

      When I left a company a while bag one of my duties at a new firm was to administer the ripe records, whilst doing that I found I was still the primary contact for the old places ripe records and could log into them.

      A quick email later and I told them that they needed to change the records over. Hopefully they did but I haven’t checked since....

      Honesty is always the best policy, and if you tell them (in writing) and they choose do do nothing then you have made sure someone knows about it.

    2. Doctor Syntax Silver badge

      Re: A very stupid thing to do.......

      Can I suggest

      0) You're professional

    3. Anonymous Coward
      Anonymous Coward

      Re: A very stupid thing to do.......

      I left a company with a metric fuck ton of data I could have sold to competitors for a pretty penny, they treated me like shit and for the last three months mandatory notice period had me logging in remotely doing a homer simpson with a nodding chicken on the keyboard answering pointless emails every few days (long story about how you get brought in by someone else who then leaves even though you do a great job office politics get in the way). What did I do? Fuck all, just deleted it all. That's what separates us from bad people.

      1. This post has been deleted by its author

        1. matt 83

          Re: A very stupid thing to do.......

          Never understood this expression, surely an "imperial fuck ton" is bigger and better than a metric one?

      2. Cynic_999

        Re: A very stupid thing to do.......

        "

        That's what separates us from bad people.

        "

        Everyone has a breaking point as to how much bad treatment they will put up with before taking revenge. The "good" people just have a higher threshold than the "bad" people.

    4. big_D
      Thumb Up

      Re: A very stupid thing to do.......

      I had a similar situation. An ex-employer used constructive dismissal to get rid of me.

      I kept a copy of my emails, but everything else was erased (I went through my password manager the next day and removed all business related accounts from it, for example). I also noted all of those external accounts that I had had access to and put them in a letter to the company informing them to change those passwords (a copy to my solicitor). Likewise, I made a list of company equipment I had and when I returned it, got one of the directors to sign for it (a copy to my solicitor).

      I had a good case and I didn't want to ruin my chances of making them pay for wrongful dismissal by doing something stupid. I even refrained from bad-mouthing them on social media.

      I got a nice payout in the end, and a much better job at another company.

    5. FuzzyWuzzys

      Re: A very stupid thing to do.......

      I've worked for some absolute bellends over the years, the sweestest type of revenge is to simply complete all the required documentation and paperwork and then drop them in it by just walking away from a bad situation you know you will never fix. So long as you did what was required to the best of your ability, you're in the clear.

      Being vindictive will get you nothing but a bad reputation, the IT biz in the UK is surprisingly small and a lot of people know a lot of other people who know people by name and especially by reputation.

  4. Duncan Macdonald
    FAIL

    He was stupid

    If you are going to do such a thing then follow basic "do not get caught" principles - use a disposable tablet (or PC) and a public WiFi connection so that there is no trail pointing back to lead to arrest.

    1. Phil W

      Re: He was stupid

      This.

      I especially like the part where the police tracked him down from the IP address he connected from which was his own Virgin Media connection. I mean FFS there are so many ways to connect to the internet that are impossible or at least significantly more difficult than that to trace.

      It's also intriguing to go back to the original cause of the grievance. Who was the person he tried to get into the hotel the company was paying for? The obvious options are his girlfriend/partner, but if that were the case you'd think the company might have been willing to stretch to letting her stay with him if he'd asked. The other option seems likely to be prostitutes, which would explain the relationship breaking down after he was charged when the story of his grievance came to light.

      1. Dwarf

        Re: He was stupid

        So you are saying that they were not trustworthy in other important roles too.

      2. Imhotep

        Re: He was stupid

        In the US, you generally pay for the room, although some do charge extra for an additional guest.

        At the companies I've worked for, none objected to having your spouse share a room as long as their personal charges weren't submitted for payment. The one exception was the company that told me not to bother separating meals and other charges - just submit everything for payment.

        I'm thinking what happened here was tied more to who or what the guest was, and the individual's behavior. It all smells of wanker.

        1. big_D

          Re: He was stupid

          At a lot of hotels, at least in Europe, you pay for either a single room or a double room, but you usually get the same room, whether you are alone or with somebody else, you just pay less because it is single occupancy.

          Some hotels turn a blind-eye, if you discreet, or bigger hotels just don't notice, because there are so many guests and so much traffic going through the foyer.

        2. Amentheist

          Re: He was stupid

          Essentially, some people can't take their booze.

          1. Alan Brown Silver badge

            Re: He was stupid

            "Essentially, some people can't take their booze."

            Reading between the lines, pretty much this - the hotel incident appears to have happened when he was tanked up and so did the hacking ones.

        3. Tom 7

          Re: He was stupid

          It does but we shouldn't assume.

      3. Goldmember

        Re: He was stupid

        It's probably a fair guess that he tried to bring back a prostitute or two; or the same one twice. This is Benidorm, after all. I went to another cheap Brits-abroad dump of a place (Sunny Beach, Bulgaria) on a lads' holiday, many years ago. One of my mates brought an "extra guest" into the room at 5am. A hefty charge was applied for this, even though technically his roommate hadn't yet stumbled through the door so the number of guests hadn't changed.

        He probably wouldn't have done this on a company-funded trip, though. There are lines which should not be crossed.

    2. big_D
      Facepalm

      Re: He was stupid

      Yes, good advice, but even better still, don't do it in the first place!

    3. Arbuthnot the Magnificent

      Re: He was stupid

      Yes, if you're going to get back at the shitty company that laid you off because you wouldn't suck up to the boss and lie to customers, by maybe deleting the firmware from all of their switches and routers and scheduling a reload, you'd best do it from the library or something. I imagine.

      1. whitepines

        Re: He was stupid

        Wouldn't the more satisfying thing be putting the screws on the company, slowly, by reporting said behaviour and making sure it gets thouroghly investigated, up to the directors, and prosecuted?

        Sure, it might be more work, but not only is it legal it would be all kinds of fun to watch the guilty squirm in court, no?

  5. Anonymous Coward
    Anonymous Coward

    > tried to bring back a guest who was not checked into the hotel he was staying at.

    Most places seem to charge for the room, rather than per person. Are you really not allowed to bring back someone who wasn’t with you when you checked in to a hotel room in Benidorm? Seems odd.

    1. Anonymous Coward
      Anonymous Coward

      Probably a "nice" hotel trying to distance itself from Benidorm debauchery...

      My wife was once accosted by a hotel doorman in Dubai. He thought she was "working"!

      1. Anonymous Coward
        Anonymous Coward

        ^^^ this

        If you can get your wife to dress up (and act up) a little so that reception give her the cold shoulder, you can often get free meals / room upgrades as part of the resulting apologies ... :-)

    2. big_D

      Nearly every hotel I've stayed at has had single and double room rates, but 90% of the rooms were doubles, so you still got a double, even though you were paying for single occupancy.

      1. Robert Carnegie Silver badge

        Yeah, the "Not Always Right" web site recently (...this year - probably) had a story about a guest who objected when his "single room" booking was / was going to be actually a single, not a double. I think he wanted his wife to come as usual, or something. Anyway, then he wanted a discount refunded to him because he was getting what was ordered. The other reason that didn't happen is that his employer had paid for it anyway.

    3. Tom 7

      In the UK they charge you per person generally. In the US its per room. I was staying in a motel with my family of 5 in a cramped family room and as we prepared to leave in the morning the identical room next door to ours emptied into a 17 seater which they filled. I have no idea how they managed that with 3 double beds - they must have brought their own bunk camp beds!

      1. Anonymous Coward
        Anonymous Coward

        Not in any UK hotel I've ever stayed in. You pay for the room, then there is a per person charge for breakfast, dinner etc. The room is always the same price whether one or two occupancy.

      2. Phil W

        Yeah this has never been the case at any hotel I've stayed in in the UK ranging from travelodge and cheaper budget hotels to more expensive premium hotels. I've also literally never seen a difference online when booking either, many forms ask how many people are staying but this has no bearing on price.

  6. Chris Hills

    Negligence

    It sounds like the company were negligent in not using two-factor authentication for privileged accounts, as well as allowing interactive sessions for service accounts.

    1. dnicholas

      Re: Negligence

      That was this wanker's job

    2. Peter X
      Joke

      Re: Negligence

      But they didn't allow interactive sessions for the service account... in the hotel though did they?! :D

  7. Joe Montana

    Sophistication and planning?

    This wasn't an attack with "a high level of sophistication and planning", this was a poorly configured network and a guy who knew just enough to be dangerous... If he really knew what he was doing he would have known what monitoring was in place and taken better steps to cover his tracks.

    Why was a service account for a printer able to login from outside the organisation?

    Why did a printer service account have admin privileges?

    This bit about requiring inside knowledge to do the hack quickly, i've seen enough internal pentests where domain admin was compromised within 15 minutes, and given what has been disclosed about service accounts and password sharing i cant imagine it would have been very hard at this place.

    1. Richard 12 Silver badge

      Re: Sophistication and planning?

      It appears that he found and tested an entryway some time beforehand, then got drunk a couple of weeks later and used it to create havoc.

      That first part definitely constitutes planning - to do what is unknown, but to do something.

      Sophistication is relative - Random Joe Public probably couldn't have done it, unlike (eg) smashing a hotel phone.

  8. Stumpy

    I'm surprised that no-one else has commented on this, but given the scale of what he did, doesn't 10 months in Chokey seem a little ... lenient? Especially given that he'll serve, at most, half of that.

  9. Mr Dogshit

    What a cad

    Brown shoes... says it all really.

  10. Another User

    Laptop to be destroyed...

    Will the laptop be hung drawn and quartered? Or will it be burned at the stake in proxy?

    Forfeiture of the laptop is obvious but why harm the environment by willful destruction of a valuable object which could be auctioned off?

    1. Anonymous Coward
      Anonymous Coward

      Re: Laptop to be destroyed...

      Save the laptop! It's innocent.

  11. SonofRojBlake

    I am not an IT worker of any kind...

    ... I just use the stuff. But this story sounds so ridiculous in so many ways:

    First: just who were the "guests" he was trying to get into his room, and how were they intercepted on their way there? Were there bouncers in the hotel or something? I wonder if either of the TWO women who were reported as trying to catch his eye were involved? It all just sounds strange.

    Secondly, this super elite hacker used his own laptop, FROM HOME??? Given my aforementioned complete lack of hacking skillz (with a z) even I would know enough to buy a burner laptop and log in from a branch of Starbucks or something.

    Really a lot of this sounds like this guy was drunk literally most of the time.

    1. Just Enough

      Re: I am not an IT worker of any kind...

      His "guests" were probably people he'd just met and had an "arrangement" with. They were probably known to the hotel staff. That's why they were spotted and told to sling their hook.

      Never underestimate a drunk idiot's ability to do stupid things.

      1. PyroBrit

        Re: I am not an IT worker of any kind...

        Don't login from Starbucks or any coffee establishment as you are most likely to end up on CCTV.

        1. SonofRojBlake

          Re: I am not an IT worker of any kind...

          See? I told you I was shit at this.

  12. phuzz Silver badge
    Joke

    Slow

    "Disgruntled ex-techie took just 13 minutes to almost wreak havoc"

    Pfft, the BOfH could have done it in two, with another thirty seconds to pin the blame on someone in accounts. Followed by another few minutes to persuade the hapless mark that it was all over, and they should take a look at the view out of this window just over here...

    1. MJB7
      Holmes

      Re: Slow

      You are Simon Travaglia AICMFP

      1. phuzz Silver badge

        Re: Slow

        Much as I'd like to take credit for his writing, I must admit that I'm just a fan.

  13. Anonymous Coward
    Anonymous Coward

    Amazing that everybody targets the perpetrator but not his employer? Can't it be that if that man's employer treated him better then this wouldn't have happened in the first place! Why do people judge individuals while sometimes the company itself is rotten!

    Just like drug abuse, most people use drugs as an escape from their tedious unfulfilling life or jobs. Give these people a meaningful job with proper wages and then they wouldn't need drugs! But instead our society only responds with intimidation and repression. While it's clear that that doesn't work!

    1. Robert Carnegie Silver badge

      I favour giving those who so choose the drugs, but no job. My plan isn't getting much traction yet.

  14. HarryBl

    He ought to have got 10 years for wearing brown shoes with a dark suit.

  15. Big Al 23

    Just 5 months for all that damage

    That doesn't seem like justice to me.

  16. Wish You Were Here

    Real Crime

    Surely the real crime here is that the system was so vulnerable? One malcontent can take the lot out in under 5 minutes? Pretty poor set up here obviously but security should be by design, not accident. Is Windoze so poor that a single person can log on and trash it or can it be designed/configured to require at least two miscreants to wipe it out? Asking for an industry.

    1. Robert Carnegie Silver badge

      Re: Real Crime

      I like the idea of a two key access system for disaster initiation.

      That can be done very simply, if not well, with an ordinary password set to letmein younonce. Me letmein, younonce. We each type our bit of the password. Then click OK. It says "Password incorrect" and we are required to bicker for sixty seconds over whose fault it is. Not because of a bad login time-out, it's just how professionals "bond".

  17. Anonymous Coward
    Anonymous Coward

    jet2 Brutus

    Competering's a trade not a profession ... dont get all uppity

  18. Anonymous Coward
    Anonymous Coward

    It's a pity this was pre-GDPR. Jet2 should be stuck with a stonking fine for having so many unsecured/shared domain admin accounts lying around evidently without any security precautions taken whatsoever.

  19. Robert Carnegie Silver badge

    Wondering

    Does the story qualify for 'Who, Me?". In June, I suppose?

  20. sw1sstopher

    I've held off the push for installation...

    ....and this kids is why you don't give service (or MFP print) accounts domain admin rights.

    no matter who asks for it, they don't need domain admin rights, I'd go out on a limb here to suggest that anyone who insists on having domain admin rights doesn't know what they are doing and should be escorted off the premise quick sharp.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon