Slashdot Mirror

← Back to Stories (view on slashdot.org)

Air Canada Sues Over Misuse Of Employee Password

Posted by michael on from the oh-canada dept.

Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.

9 of 215 comments (clear)

  1. If you deal in garbage, you might attract flies. by LostCluster · · Score: 5, Informative

    To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.

    So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.

  2. I'm not sure if I understand by PsiPsiStar · · Score: 4, Informative

    It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?

    Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.

    How effectivly can a company regulate the way that information it discloses can be used?

    IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?

    From the article;



    The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.

    "The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.

    Well, obviously he did use the information. It's just a matter of what he used it for.



    "Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."

    --

    ___
    It's the end of my comment as I know it and I feel fine.
  3. Re:Calling a spade a "spade" are we? by asreal · · Score: 4, Informative

    Yes, they meant vultures. Air Canada is dying, and these funds are just waiting for them to keel over before they swoop down for the feed. Thus, vulture funds.

    --

    What Future?

  4. Re:Calling a spade a "spade" are we? by qvanderm · · Score: 5, Informative

    Not a typo. Vulture Funds specialize in 'distressed' investments. A money-burning operation like Air Canada certainly qualifies.

  5. Re:Rights? Clearly abused. by danheskett · · Score: 4, Informative

    But it's insider information he was explicitly allowed to have.

    Air Canada fired him. Laid off. Not any longer employed but continued to give him access to information they wanted to keep private. They have, however, no reasonable expectation that this information would be kept private unless of coure it was previously arranged in the severance or rider contract.

    Insider information isn't illegal perse. For example, if I went and physically counted the number of people getting on and off Air Canada planes at different times, and recorded that and sold it to WestJet things would be just fine. It's called market research.

    The real issue here isn't insider information. It seems to be in my opinion trade secret.

  6. Re:The moral is? by Beeswarm · · Score: 4, Informative

    Wrong. The information in question would have to be the flight loads. This would tell you how many people are booked on a specific flight and how many overbookings are allowed. To an employee, this information would be used to plan their travel by seeing which flights they would most likely to get on as a space-available rider. To a competitor, this information would be useful for determining which routes are more profitible because the seats are always full, and which routes already have too much seat capacity.

  7. Not how - but what. by Saggi · · Score: 5, Informative

    In Denmark where I live the rules are simple.

    You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.

    I would guess that Canada have some similar laws.

    So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.

    --
    -:) Oh no - not again.
    www.rednebula.com
  8. Re:If you deal in garbage, you might attract flies by LostCluster · · Score: 4, Informative

    They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.

    Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...

  9. Re:It's all about size. by CoderDevo · · Score: 4, Informative
    In fact, you shouldn't. You should just have a bit-flag on the accounts saying that they're not allowed to log in... you never know when somebody's coming back to the company and would need their account reactivated.

    Actually, there is no harm in deleting the account. It is typical practice to delete all accounts 30-90 days after an employee leaves. My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.) But we have no problem with re-issuing an ID to a new employee if the ID has not been used for a few years.

    However, deleting or disabling the account would not have worked for Air Canada since they already agreed to give the ex-employee access to their space-available tickets website for the 5 years following his departure.

    They could have instead analyzed website activity looking for anomolies, but that may not have worked either since they hadn't anticipated this type of misuse. A better solution would be to not give ex-employees access to any internal data at all. Instead, provide non-employees with only a phone number for a ticket agent who can book the flights for them. But then, that is more expensive. There is risk in being cheap.