Slashdot Mirror
Air Canada Sues Over Misuse Of Employee Password
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
We may see an interesting test case for the validity of website terms of serivce here, or maybe even what happens when a website forgets to cover a form of abuse in the TOS.
Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.
But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?
So, if there isn't a TOS on the page in question... things could get really interesting.
The real problem is the lack of security awareness by Air Canada.
The imformation could have been obtained by noting the place and departure times of all Air Canada's fleights. The ex-employee just made it easier.
Too, it looks like a sinking ship in search of rats.
I guess it depends on what terms and conditions were specified when they gave him the login and password. If he had to sign an agreement when he got them..presumably they would still be in effect as long as the Login/Password was active.
If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?
Hey, space-available tickets are a very good deal for the airlines and the employees who work for them. I probably would not be working for an airline if it weren't for the fact I've been to Europe twice, Japan once, and Mexico more times than I can remember in the last four years, all working at a salary barely twice the minimum wage. The Reservation center I work at has an extremely low turnover rate by call center standards, and most of my co-workers travel abroad on a regular basis. And the company gets lots of happy workers just by giving away the seats they can't sell.
How do you know that he didn't just automate checking which flights had empty seats on them, so he could take advantage of his free tickets?
Sure, it looks likely that he passed this information onto his new employer, but unless you are the defendant, how can you be so sure?
The world needs more people who don't just jump to conclusions from reading one newspaper article.
codegolf.com - smaller *is* better.
There are always *some* assets. You'll be seeing those SCO mousemats, office chairs, desktop PCs and building signs popping up on eBay faster than you can say "Enron".
shutting it off is the weak minds way to resolve the issue.
identify the bots and slowly poison their data instead. thats how a man should do it.
whenever the bot is digging into your data, instead of real data feed it fake garbage data instead. poisoned garbage data should however only be slightly off not to make it obvious that it is garbage data. the point is : it should take long to realize that the data is posioned. When they realize the data is poisoned they should not be able to tell what data is real and what is poisoned so they will have to throw ALL data away.
So that when the finally realize they have been poisoned it will be too late to do anything about it.
On a slightly related note I was booking a flight from Vancouver to London last year and found the cheapest flight in the area was from Seattle to London via Vancouver on Air Canada. Booking the direct flight from Vancouver to London on Air Canada was nearly twice as expensive as taking a commuter flight from Seattle to Vancouver and then getting on that same direct flight to London.
;)
Why not skip the Seattle leg and get on in Vancouver? If you miss the first leg of a flight you are not allowed to make the second leg even when in this case there was an 8 hour layover in Vancouver. As Seattle is only 2.5 hours drive from Vancouver it is conceivable someone could miss the flight from Seattle to Vancouver and still quite easily make the flight from Vancouver to London by catching the train north.
My point, anyways, was that I was pissed that an airline subsidized by Canadian taxpayers was offering flights to Americans at just over half the price they were offering it to Canadians.
And before any of you idiots ask the price difference had nothing to do with the exchange rate.
This guy is the reason the IT industry is full of non-compete contracts... what a 100% total asshole.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
According to this logic
Which logic is that? Certainly not any that was posted here.
if you leave your front door unlocked, and I walk in and take your stuff, it's OK, because you allowed me access to it
No. More like: if I gave you a key to my front door, and told you to take whatever you wanted from my fridge, and you come in, clean out the fridge, and sell it to the market across the street, then it's OK, because I gave you access to it.
Which it would be (because I have given you permission.)
he was clearly in the wrong with his actions
Not necessarily. If he had an agreement that he wouldn't give/sell the information to anyone, then you may have a point, but if there was no such agreement, then he's quite clearly not in the wrong.
I don't think this qualifies as insider information, but more appropriately called company proprietary, or company confidential information
If it was proprietary, or confidential, then the company should have had measures in place to keep it that way. You can't give something to someone with no strings attached, and then cry foul when they use it for something you don't like.
Issue 1: Stupidity of the organization to not lock down permissions and/or kill the account/password.
Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.
Both need to harbor the blame for their part.
Just be careful. These are only allegations, and one should take any claims that Air Canada makes about WestJet with a couple of grains of salt. They have a huge WestJet complex. Not that I'm saying that this kind of thing couldn't happen.
www.timcoleman.com is a total waste of your time. Never go there.
I know it is hard for geeks to understand, but there is more to law then what is written down in black and white.
In this civil suit one of the arguments that will be put forward by Air Canada is whether the use of the information was "reasonable." Their argument will probably include examples of similar agrements all in a effort to convince a judge. It is unlikely that there is any document that states how many times a person can log into the site, or what they may use the information found on the site for. These statements are unecessary.
The "reasonable" test goes far beyond what has been written on paper. It appears all over civil and criminal law in every court that has ever been influenced by the British, and probably the other European powers as well. It is a giant catch all in some respects. This test is even found at the heart of modern justice in the phrase "...beyond a reasonable doubt."
Slashdot has reported on many cases where geeks have gotten into trouble when they have assumed that an act was permitted becuase there is no statement preventing said act. This is never the case. In all laws, and in all contracts there is always an implied element of what is reasonable.
I doubt that the 243 K hits were done as exactly 750 per day. More likely, there were only a handful of hits each day for a very long time, as they tried to figure out how to extract the data and automate the process. Then, once they were in "production" mode to get a massive amount of data, they could ramp up to thousands or tens of thousands per day. Only then is it easy to figure out something unusual is going on.
Lawsuit aside, what about this guy's sense of professional ethics? Regardless of what TOS the AC site put up, or whether the guy could get away with it on a technicality, who wants that type of person working at their company?
And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...
It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.
I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...
Pixie
don't mess with those geekgrrls
What does this say about outsourcing VS IT security ... and India too.
Jesus, write a script kiddie toy to use the existing front end to interrogate the back end once a minute for ten months? What the hell is that?
... and it snowballed from there as some sort of clandestine 'upper-management wants to be a hacker' way. Then again it worked and helped them on the business side in a massive way so I guess it wasn't completely stupid. Except for getting caught, of course, hammering on the system day and night for 10 months and leaving an audit trail as long as your arm.
If you are going to hack, HACK. Hook up directly to the database back end and write some SQL to extract all the data at once and have it spit out nice neat reports summarizing the data. Run it once a day at most.
Somehow I think this guy was showing off to his boss the first week like some newbie - probably said 'hey check this out' the first day when showing it to him without thinking through the long term ramifications
Glonoinha the MebiByte Slayer
Complete nonsense. Using a non-sequitur to evoke an emotional response may pass for debate in Canada, but not here in US, eh.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
That's a very interesting observation. Air Canada was indeed negligent here, but how many times have you written code to limit such a thing? When you're trying to get something working and bug-free, it's hard to think of every nefarious thing someone could do with your application. I think this is more an issue of a webmaster failing to look over logs in order to later take corrective action.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.
Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?
"I have never let my schooling interfere with my education." - Mark Twain