Travel agency conned out of £70,000 due to password security lapse

Former member of staff used his old passwords to book flights, hotels and to travel the world - at agency's expense

A former member of staff at Thomson-affiliated travel agency Cambridge Business Travel ran up bills of more than £70,000 by logging on to the company's systems and booking flights and hotels after leaving a job he held for just two months.

Teenager Reece Scobie was able to book flights and hotel rooms for a period of six months between July 2011 and January 2012, when the fraud was uncovered.

The security lapse highlights the need for companies to enforce rigorous control of passwords as part of their wider security procedures and, perhaps, to consider multi-factor authentication to tighten access to critical systems.

Nineteen-year-old Scobie repeatedly logged in to the company's systems to book flights - in business class - and stay in top hotels in Dubai, Singapore, Los Angeles, Auckland, Vancouver and New York. He used both his own name and a series of aliases to book hotel rooms.

In addition to using his own corporate passwords, which had not been revoked, he also used the account of another employee of Cambridge Business Travel to book a slew of flights.

The fraud was uncovered when Scobie was in Los Angeles and his return flight cancelled - forcing him to borrow money to make his flight home.

In total, Thomson Travel lost £11,256 as a result of the fraud, while Cambridge Business Travel lost £59,878.

Scobie admitted two charges of fraud. On trial in his home town of Perth, Scotland, the court was told by his lawyer that Scobie suffers from Asperger's syndrome. Sentencing was therefore deferred pending psychiatric reports.

Using the kind of "social engineering" techniques publicised by 1990s hacker Kevin Mitnick in his book The Art of Deception, Scobie even managed to persuade court staff to return his sequestered passport after producing fake proof that he had a new job - in the travel industry.