Slashdot Mirror
Air Canada Sues Over Misuse Of Employee Password
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.
So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
Was that a typo... or is The Globe and Mail public on it's low opinion of venture capital operations?
We may see an interesting test case for the validity of website terms of serivce here, or maybe even what happens when a website forgets to cover a form of abuse in the TOS.
Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.
But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?
So, if there isn't a TOS on the page in question... things could get really interesting.
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
Finally a newspaper that calls a cat a cat!
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Of course you don't remove old IDs/PWDs, the larger the user database is, the cooler it looks.
Right?
It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?
Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.
How effectivly can a company regulate the way that information it discloses can be used?
IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?
From the article;
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.
"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.
Well, obviously he did use the information. It's just a matter of what he used it for.
"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."
___
It's the end of my comment as I know it and I feel fine.
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website
It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.
The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)
For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.
The real problem is the lack of security awareness by Air Canada.
The imformation could have been obtained by noting the place and departure times of all Air Canada's fleights. The ex-employee just made it easier.
Too, it looks like a sinking ship in search of rats.
"Using that confidential information, WestJet adjusted its own schedule, planned its expansion into new routes and adopted pricing strategies to force its larger competitor out of certain markets, Air Canada alleges."
This is an insider-information case, and he should get what's coming to him. Pure and simple. He abused a quirk, he and WestJet really don't have a strong case here.
Kip Hawley is an idiot.
I guess it depends on what terms and conditions were specified when they gave him the login and password. If he had to sign an agreement when he got them..presumably they would still be in effect as long as the Login/Password was active.
If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?
I think some IT heads will roll there.
Anybody wanna apply for the job(s) ??
(Ok, it probably means moving to Canada, but for a lot of people that shouldn't be a problem, right??)
This is the sig that says NI (again)
Exactly. What i don't understand is that nobody at WestJet questioned this method of data collection, surely they could have smelled the flannel-wearing rat from several nautical miles away.
Will wank off Linus Torvalds for fame.
Hey, space-available tickets are a very good deal for the airlines and the employees who work for them. I probably would not be working for an airline if it weren't for the fact I've been to Europe twice, Japan once, and Mexico more times than I can remember in the last four years, all working at a salary barely twice the minimum wage. The Reservation center I work at has an extremely low turnover rate by call center standards, and most of my co-workers travel abroad on a regular basis. And the company gets lots of happy workers just by giving away the seats they can't sell.
But it's insider information he was explicitly allowed to have.
Air Canada fired him. Laid off. Not any longer employed but continued to give him access to information they wanted to keep private. They have, however, no reasonable expectation that this information would be kept private unless of coure it was previously arranged in the severance or rider contract.
Insider information isn't illegal perse. For example, if I went and physically counted the number of people getting on and off Air Canada planes at different times, and recorded that and sold it to WestJet things would be just fine. It's called market research.
The real issue here isn't insider information. It seems to be in my opinion trade secret.
How do you know that he didn't just automate checking which flights had empty seats on them, so he could take advantage of his free tickets?
Sure, it looks likely that he passed this information onto his new employer, but unless you are the defendant, how can you be so sure?
The world needs more people who don't just jump to conclusions from reading one newspaper article.
codegolf.com - smaller *is* better.
I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...
My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?
The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
-B
The real issue here isn't insider information. It seems to be in my opinion trade secret.
I'm sorry, you are correct. This is a trade secret issue. If Air Canada can cough up the paperwork saying he was only allowed to use his insider information to book his own tickets and absolutely nothing else, then it's an open-shut case. If not, then it'll be interesting to see how WestJet's lawyers defend this dude.
Kip Hawley is an idiot.
For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.
Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!
How do we know they were 'cool' scripts. If he was such a great scripter, why was he let go.. or is simple web crawler enough to pass for 'cool' these days. Perhaps they were among some of the most inefficient scripts of all time, rivaling those found in the Hall of Terrible Programming.
You are entering an Official Air Canada System, which may be used only for authorized purposes. Unauthorized modification of any information stored on this system may result in criminal prosecution. The Government may monitor and audit the usage of this system, and all persons are hereby notified that use of this system constitutes consent to such monitoring and auditing.
It turns out they are a security hole. That makes them a bad idea, even if they are a way to save money for the airlines and the people working for them. If I cut off my leg, I wouldn't have to eat so much... unless hopping takes more energy than walking. Hmmm. Bad ideas can have obvious good traits and subtle bad traits.
And if you are the low paid IT worker whose code do you give? Somebody who has left the company but is still in the system.
True, it's fishy that the ID belonged to somebody who went to a competitor, but how many major airline employees have moved to budget airline companies?
I think Air Canada whould at least have to prove that he, or somebody he deliberately gave his ID to, was responsible for the mega use of the site.
And if you thought that was boring you obviously havn't read my Journal ;-)
The story digest may have this completely wrong. It says "What do you do when you let an employee go? You kill their password and ID, right?"
The activity in question appears to have been facilitated by access granted as part of his severance package. As the article notes: "As part of his separation package when Lafond left Canadian Airlines in October 2000, he received two space-available airline tickets per year for five years. These tickets are booked through the private website."
The article is actually a little hazy on the details here. Though it doesn't specifically say so, it seems to imply that the separation agreement gave the terminated employee direct access to this private web site through a user name and password. One can imagine other ways this could be done that didn't involve direct access to the employee, like through a dedicated fulfillment provider, for example.
Either way, it sounds like it all amounts to some pretty dumb corporate behavior on the part of Air Canada. Either bad security practices if they didn't cut off the guy's access, or bad auditting if all that use went unnoticed for so long.
In Denmark where I live the rules are simple.
You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.
I would guess that Canada have some similar laws.
So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.
-:) Oh no - not again.
www.rednebula.com
I think the 243,630 times the ex-employee Lafond accessed the site gave it away. That information was found in the CBC Business news.
Even the samurai
have teddy bears,
and even the teddy bears
get drunk
It's not so much What Air Canada's doing, but how they went about it. There really doesn't seem to be much reason to give former employees access to private sites. Although it's not too clear in the article, the least they coulda done was create a separate network, with filtered data (i.e. a DB with just empty airline seats, and also coded in different ways so that you don't really have too much of a clue what's going on elsewhere...) Heck maybe the employee shouldn't even have visibility into what routes have empty seats, but just submit a request for an empty seat. (i.e. Instead of the system saying "we have 50 free seats to mexico today, take your pick" it should simply say " Mr. X, you have got the free seat to mexico today". ) How difficult would that be to do really? Even simpler is not allowing the former employees access to private sites, severance or not. This is simply laziness on Air Canada's part (hell we have to give these bozos free tickets, so let's just give 'em a little more access).Air Canada got what it deserves, and if anything, it should be Air Canada's investors suing Air Canada!
This is step one in my plans for World Domination. This time, it will work.
I'm still trying to figure out what people mean by 'social skills' here.
Are we that juvenile that we admire anything technical, regardless of its use, or in this case, misuse?
You people need to grow up.
-- You see, there would be these conclusions that you could jump to
They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.
Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
According to this logic, if you leave your front door unlocked, and I walk in and take your stuff, it's OK, because you allowed me access to it. True, they should have locked down their system a bit better, but he was clearly in the wrong with his actions. I don't think this qualifies as insider information, but more appropriately called company proprietary, or company confidential information. Sure, by sitting at the gates counting people, you can get the info, but taking it from internal company web sites makes it a hell of a lot easier and more accurate.
Just my $.02
Liberalism...the next best thing to thinking.
But it's insider information he was explicitly allowed to have.
The issue wasn't that he had the information, but that he passed it on without Air Canada's authorization.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
This guy is the reason the IT industry is full of non-compete contracts... what a 100% total asshole.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
According to this logic
Which logic is that? Certainly not any that was posted here.
if you leave your front door unlocked, and I walk in and take your stuff, it's OK, because you allowed me access to it
No. More like: if I gave you a key to my front door, and told you to take whatever you wanted from my fridge, and you come in, clean out the fridge, and sell it to the market across the street, then it's OK, because I gave you access to it.
Which it would be (because I have given you permission.)
he was clearly in the wrong with his actions
Not necessarily. If he had an agreement that he wouldn't give/sell the information to anyone, then you may have a point, but if there was no such agreement, then he's quite clearly not in the wrong.
I don't think this qualifies as insider information, but more appropriately called company proprietary, or company confidential information
If it was proprietary, or confidential, then the company should have had measures in place to keep it that way. You can't give something to someone with no strings attached, and then cry foul when they use it for something you don't like.
I'm not sure anymore if that would help, but I know at least one company never changed their passwords because their vendors kept paging me, up to a year later, to "go into the system and make these changes." One of the vendor contacts and I had became good friends, and one day he begged, "We can't get in, and those bozos won't answer our pages." So I told them the last password I had, stating it probably wouldn't work. Nope, he got right in. Root access to a major gateway.
And the password was easy too, like abc123 "That's the combo on my luggage" easy. Considering this gateway controlled 48 T1 lines to a large call center, I shudder to think how it could be used if phreaked.
'The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website'
Let's see who's visiting our website last month...OMG!
How could a commercial website be so clueless?
sig mind freed
Quote from Wompom website:
" If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."
http://www.wompom.ca/news/wp2004apr07.htm#1
Duh...
Issue 1: Stupidity of the organization to not lock down permissions and/or kill the account/password.
Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.
Both need to harbor the blame for their part.
It is called reasonable expectations. It is reasonable for your friend to make aa sandwich and grab a glass of soda. It is unreasonable for him to empty the fridge. One could probably argue a smll claims settllement successfully on such a case.
Just a Tuna in the Sea of Life
Yup. That's a pretty common pricing strategy among airlines these days. A lot of it has to do with the "hub and spoke" routes they fly. They aggregate everyone into the big hubs and then fill a big plane to fly hub-to-hub or make the popular intercontinental flights. Then they offer cheaper fares to fill up the "spoke" flights. It can often be cheaper to drive an extra half hour to a different airport and fly to the hub than to fly directly out of the hub itself.
As for how good this is as a business model...It works, more or less, for NWA, United, et al. but Southwest only flies point-to-point.
Things to do today: See list of things to do yesterday
You get sued if you misuse information you gained in your former employment.
But the thing is - he's not using information he gained in his former employment.
He didn't get the information while he was employed there - he got it after he left, from a website that is available to non-employees.
forbid use of inside knowledge to harm other companies
But it's not inside knowledge - if it was inside knowledge, then (by definition) it would be kept inside. The fact that Air Canada releases this information to outside individuals means that (again, by definition) it can't be 'inside' knowledge.
how you obtain the information is irrelevant
No, it's not - otherwise a company could take any group of facts, brand them as 'private', and then sue anybody who discovers it on their own.
As someone else pointed out, the same information could have been retreived by simply going to the departure gates and counting the number of people boarding the planes - are you suggesting that doing this is also illegal? After all, if it doesn't matter how you got the data, then any way you get the data would be illegal.
BTW, if your assertion that it doesn't matter how you get data is correct, wouldn't that make reverse-engineering illegal in Denmark? (After all, you're getting 'private' information, and then using it to help another company.)
Just be careful. These are only allegations, and one should take any claims that Air Canada makes about WestJet with a couple of grains of salt. They have a huge WestJet complex. Not that I'm saying that this kind of thing couldn't happen.
www.timcoleman.com is a total waste of your time. Never go there.
im not up on canadian law.. but if its anything like the US they better hope he signed his non-competition agreement nice and clear :)
I think Air Canada's CEO Robert Milton deserves the IgNobel of economics for taking a monopoly into bankruptcy, and from there likely into liquidation.
What you say is true, but you completely missed the point. By giving space-available tickets to an ex-employee, they opened themselves up to this sort of stuff. He wasn't saying that SA tackets are a dumb idea, only that it's dumb to give them to someone who doesn't work for the company anymore.
If a job's not worth doing, it's not worth doing right.
They would have had a problem if they had checked baggage, which would have gone on to Austin, where it would probably be destroyed, possibly by the bomb squad. Seriously, though, getting off the plane when you are not meant to is one thing airlines and governments get very pissed off about for security reasons - e.g. you get off at a stopover, leaving the bomb you placed in your baggage on the flight.
Sure, any dummy can make note of departure/arrival times, its probably even accessible from flight control. But how are they going to tell if a route is profitable. The only way to find out is by determining passenger load. This guy had access to that information.
Of course, you could always try and scan the windows of the plane to see how many people are sitting in there but what if they all sit on the same side?
My parents were coming to visit me on a new route by a competitor to Air Canada. At some point (can't remember when) the pilot asked (half joking i'm sure) the passengers to move to the right side of the plane so Air Canada employees thought the plane was full. A couple of people actually changed their seats. Bah, it was a funny story when my mom told it.
"Thanks to the remote control I have the attention span of a gerbil."
It is unreasonable for him to empty the fridge.
Unreasonable for whom? To me, sure - to him, possibly not.
One could probably argue a smll claims settllement successfully on such a case.
yes, and one could probably defend a small claims case successfully on such a case.
It would entirely depend upon the judge, and the skill of the people presenting each side of the case.
Lawsuit aside, what about this guy's sense of professional ethics? Regardless of what TOS the AC site put up, or whether the guy could get away with it on a technicality, who wants that type of person working at their company?
And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...
It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.
I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...
Pixie
don't mess with those geekgrrls
So you have an incentive *not* to sell all the seats on a plane. Sounds like a winning business plan to me.
Actually, I'm kidding. It's nice to see a company value its employees, and offer reasonable benefits, as opposed to the useless/self destructing crap they usually push on people, like stock options.
"If you could only see what I've seen with your eyes..." - Roy Batty
What does this say about outsourcing VS IT security ... and India too.
It turns out they are a security hole. That makes them a bad idea, even if they are a way to save money for the airlines
That's a bit shortsighted, isn't it? These tickets are a great idea all the way around. It's how they give access to the information that's at fault, not the concept of zero-cost tickets. That's like saying that because you killed someone with your car, all cars are a bad idea. The problem here is that Air Canada's website allowed an individual to do 600,000 lookups (whateve the number was). There should be a reasonable limit, like 100 a day or less. There's no reason for any one person to have more than that, and with such a limit in place the program should be able to continue without a problem.
Jesus, write a script kiddie toy to use the existing front end to interrogate the back end once a minute for ten months? What the hell is that?
... and it snowballed from there as some sort of clandestine 'upper-management wants to be a hacker' way. Then again it worked and helped them on the business side in a massive way so I guess it wasn't completely stupid. Except for getting caught, of course, hammering on the system day and night for 10 months and leaving an audit trail as long as your arm.
If you are going to hack, HACK. Hook up directly to the database back end and write some SQL to extract all the data at once and have it spit out nice neat reports summarizing the data. Run it once a day at most.
Somehow I think this guy was showing off to his boss the first week like some newbie - probably said 'hey check this out' the first day when showing it to him without thinking through the long term ramifications
Glonoinha the MebiByte Slayer
it's dumb to give them to someone who doesn't work for the company anymore.
Yeah, someone who works for the company would never do anything nefarious with the information, would they? It just seems obvious that everyone with access to the site, employees or otherwise, should have limits placed on accesses. It's crazy to allow anyone hundreds of thousands of queries.
but logging into a website 32 times an hour for 10 months; is that really necessary to get the information Westjet is accused of using?
I would think a couple of times an hour at most would be all that is required to gather flight loads. I can't see a whole lot of passengers waiting until 2 minutes before the flight to book their tickets (it may happen once or twice, but over the course of months those will be anomolies). So either Westjet was being stupid and killed the goose that laid the golden egg, or there is a lot more going on than we being told.
This is just more typical Air Canada stuff. They are constantly plagued by these problems, mainly due to bad management. Every few years Air Canada goes through some huge financial crisis and all of a sudden becomes public property forcing the tax payers to foot the bill of their frivilous spending then as soon as they become profitable again (not usually for very long) the profits are directed into the pockets of the very people who put the company in that position in the first place and whos asses the tax payers just saved. So I personally would like to see Air Canada chopped to bits by one of those "vulture" companies so they stop costing me, and the rest of the Canadian tax payers, money.
once a well known carrier
sweet were the times
when everyting was okay
then Milton came
threw money away
and air canada went south
now they want to blame
a suspicious lame
for a web site info leak
stay away
from their IT practices
they'll sue your ass
whenever they got the chance
I can see the guy
pounded in the ass
on his first night time in jail
wonder what is next
for this carrier
and their useless management
get on the phone
call your broker asap
sell all their stock
before you hit the ditch.
sell all their stock
before you hit the ditch!!!!!!!
Why am I not seeing responses from those who say "Information wants to be free"?
Air Canada is liable to those whose data (and lives) they protect, for leaving the door unlocked on a busy street. And the ex-employee is liable for trespassing, regardless of their posession of an old key, once disinvited from the premises, to say nothing of theft and privacy invasion. Corporation vs. ex-employee is a false choice: they're all guilty.
--
make install -not war
Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.
Sorry, wrong!
Many airlines when you call to wait-list yourself on a flight will do just that.... You don't get any details about how full the flight is.
If you want to get particular, this is called Non-Revenue Space-Available. I can list myself on a flight that operates 4 months from now that may only have 4 people booked on it. Or, I can list myself on a flight that departs in 15 minutes that's oversold by 2 seats. If there's enough no-shows on the flight, I get a seat. The whole concept of non-rev travel means that if there's an open seat and you're ready to go, you can get it.
The value of that empty seat is $0 the moment the aircraft door closes, hence the airlines willingness to to allow employees or interline agreement employees to travel for free.
The ability to get listed on a flight is a totally seperate event from letting the guy have access to their reservations/booking system. That's just piss poor security procedures on the part of Air Canada.
I work in an airline dispatch office, so this is something I have some familiarity with.
-- El Sacarino tiene gusto de la chocha
But, the article says nothing about any agreements he may have signed about the use of the data that he found. If he didn't sign any agreements, what he did was only really sleazy and not illegal or punishable in any way. Having said that, I too hope that he did sign something prohibiting this kind of use so some kind of action can be taken against him. I don't think there is any question that what he did was wrong.
I really hope you are kidding.
The guy was a financial analyst, not a developer. Just because he had access to the front-end site, doesn't mean that he has access to the back-end.
Unless of course I am missing something and you magically have backend access to every site you go to.
Without a contract or binding confidentiality clause you are free to redistribute any information you are given, what this guy did might not be ethical but absent a contract he is probably free both civily and criminally.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
Riight, and if a woman is raped, you blame her for wearing revealing clothes, and if someone comes into my house and steals my TV, you blame me for leaving my door unlocked.
You see, up here in Canada, the person who does the bad thing is the one we blame, not the victim. The guy did something he knew was wrong. He's at fault, not the airline. The airline would be smart to not do something like this again, because there are unethical people out there, but the fact is, it's NOT THEIR FAULT. They didn't do anything bad, and he did.
"I have never let my schooling interfere with my education." - Mark Twain
From the article:
:)
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
What a freudian slip
-JT
Complete nonsense. Using a non-sequitur to evoke an emotional response may pass for debate in Canada, but not here in US, eh.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
Exactly. Over the last few years, WestJet has been a textbook case in terms of how to set up and run a profitable airline even in times when global airline travel took a (figurative) nosedive. Clive Beddoe (WestJet CEO) is a savvy businessman - it seems to me that if he and/or his legal department were aware of this kind of stuff going on, they'd punt the idiot that was responsible just to avoid the exact kind of allegations we're seeing now. WestJet was already Air Canada's favorite excuse for all its woes - I doubt that they would sanction anything borderline like this, which would only give legitimacy to Air Canada's griping.
Less is more.
I'm guessing they analyzed the HTML post call to the site and had one of their script monkeys write something to automate it and parse the returning values. It was a cool hack that delivered an amazing business advantage, right up until they got caught.
... now he could have done some seriously freaky stuff.
But yea, every physical site I have ever been / done work for I have had back end access. It generally isn't worth going unless I have access to the bare metal. Anything that can be gleaned through the interface some other guy has written - he already knows. If you are going to learn something new you have to access the data directly. If this other company had hired the guy that developed the internal workings of the system after the first company laid him off
In light of that, I'm surprised there isn't more of that happening - go in and figure out who the key guys in development or IT are and just hire them for $20k a year more than they are making. Put them to good use on internal projects, let them hack their old system, or simply send them on a two year European vacation - regardless, best case is the competitor can't continue either developing their core product or can't continue to operate their datacenter.
Honestly how many guys would it take losing from your IT or development staff to render the company useless, even if they weren't hacking their way back in?
Glonoinha the MebiByte Slayer
It would be more like telling your friend he can make a sandwitch then suing him because he made a Dagwood. He didn't do what you wanted, and not necessarily what was reasonable, but certainly within what he was told he could do.
For those not fans of Blondie, a Dagwood is an absurdly large sandwich.
Learn to love Alaska
And if you are the low paid IT worker whose code do you give?
That depends on who has really been pissing you off lately, most likely your manager. I can imagine your manager trying to explain why his id has been used to login to the system 250,000 times in the last year.
That's a very interesting observation. Air Canada was indeed negligent here, but how many times have you written code to limit such a thing? When you're trying to get something working and bug-free, it's hard to think of every nefarious thing someone could do with your application. I think this is more an issue of a webmaster failing to look over logs in order to later take corrective action.
The article is a little hazy on just how "cool" or how good these scripts were technically, so I'll answer in a more general sense. Good craftsmanship is still good craftsmanship. Regardless of the intent, a well-crafted piece of code (or any other craft for that matter) is something we can all learn from. It is something that can make us all better craftsman.
The question in this case is not even whether the scripts were "cool" or not. The article really doesn't give enough information for us to determine that. I believe the main question here is the legality and morality of the guy's actions. The overwhelming response so far has been the the guy is scum. I have to agree. I, however, am not sure of the legality of his actions and hope there is some sort of retribution.
The answer to your question seems to be that we are not so juvenile. In fact, you could say that we are grown up enough to realize that what the guy did was wrong and still appreciate the craftsmanship that went into the scripts (again, I don't know how "cool" they really are.) I wouldn't call that juvenile. I'd call it grown up enough to be able to separate the two issues.
Compare this also to Ryanair and BA in Europe - Ryanair is massively successful and BA isn't ....
codegolf.com - smaller *is* better.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.
Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?
"I have never let my schooling interfere with my education." - Mark Twain
Why is this even a problem? I can log into, for instance, Delta's public website see exactly which seats are booked on a flight, first class, business, coach and those held for frequent flyers, ie exit rows etc. I can even see the type of plane etc. The only thing I can't see is how over-booked a certain flight might be. Granted, the access the subject had probably granted him data in an easier format to use but couldn't anyone get basically the same thing?
That's a very interesting observation. Air Canada was indeed negligent here, but how many times have you written code to limit such a thing? When you're trying to get something working and bug-free, it's hard to think of every nefarious thing someone could do with your application.
The last time I thought of such a thing was today. That's one of the things I do for a living. But you're right that webmasters (and others) aren't renowned for getting little details like this right...
So basically you have to query the front-end right before takeoff. Which would explain the hundreds of thousands of queries. I would bet that that number corresponds quite close to the number of flights they've had.
I've actually had the opportunity to use these "space-available" tickets from time to time (my dad worked for an airline), and unfortunately "there are / aren't some free seats" isn't enough information to plan your trip... your seat basically isn't confirmed until all the paying customers are physically on the plane, so knowing whether there are 2 or 20 seats available the day before makes a big difference as to how likely you are to end up stuck at the airport.
That having been said, since I wasn't an actual employee I couldn't use the web site myself, I had to call and speak to a human operator. They'd tell me the actual number of open seats, but it seems unlikely WestJet would be able to do this 240,000 times without somebody catching on :P. (of course, then Air Canada would have their former employees suing them over interminable hold times, but that's a whole different problem.)
this is obviously flaming and off-topic but....
If you really hold people accountable for their actions, why is Bush to blame for Saddam's non compliance with his Gulf-War I cease fire agreement?
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone... else
That's actually not a terrible analogy, but it misses the mark. More apt might be along the lines of: telling your neighbor he could borrow your lawnmower whenever he wants as long as he leaves it full of gas, but then he abuses that priviledge by keeping it nearly all the time and running a business with it mowing other people's lawns.
Keep in mind that the ex-employee had explicit permission to use the data. The article did not give enough detail to determine if the agreement with the company specified that he was only to use the data for booking his own flights, or if the company just assumed that would be the only use.
By the way, it was you who cast the first stone by claiming (or at least implying) U.S. Americans fall short of the Canadian ideal of individual responsibility. Hoser.