Air Canada Sues Over Misuse Of Employee Password

Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.

Thou shalt check thine logs...

[LostCluster]

The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website

It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.

Re:Thou shalt check thine logs...

[Tom]

You've never admin'ed a major site, have you?

I have (16k hits/min during the business day). Something like 750 hits per day is well below the line noise threshold for any large site. Unless you look for patterns like that intentionally, you'll never notice.

Re:Thou shalt check thine logs...

[Ami+Ganguli]

Say 40k employees look at the site an average of once a month (I'd probably check it out once a week myself, so I think this is a low estimate).

Each time you log in you probably do five or so hits, for 200k hits a month, or over 6000hits/day.

750 extra hits a day should be noticed, but I doubt anybody cares enough about the traffic on an internal web site to find out why it's gone up by 12% or so. If it happened suddenly on our public site, I'd definately care, but if it happens on our Intranet it's just an interesting statistic.

Of course, somebody did notice eventually. But it doesn't surprize me that it took a long time to figure out.

Turnabout...

The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)

For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.

Re:I'm not sure if I understand

[adamofgreyskull]

Would he be equally culpable if he repeatedly tried, on a smaller scale, to book free tickets from work which he cancelled at the last minute and his new employer was monitoring his PC without his knowledge?

Or in this case, what if his employer or some unknown party snooped his login and then proceeded to misuse it without his knowledge? Sounds like a reasonable defence...

Dealing with this right now

[beacher]

I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...

My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?

The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
-B

Re:Dealing with this right now

[beacher]

You do have a firewall, right? Absolutely

So that when the finally realize they have been poisoned it will be too late to do anything about it.
Not ethical and impractical. Just how many requests does it take before you start poisoning? 1000 per hour? We get that many hits from AOL and they come in through a gateway. If we were poisoning legitimate users data, that would be unacceptible.

Why don't you go the ebay way and provide an API into your web site, then change the format slightly every month so breaking the web crawlers? After all, you may as well make money out of the data miners. We have *extensive* APIs into most of our systems. We're trying to get the bots to use and license the APIs. I have been talking with some of the developers to try to put some unicode inside (human readable but bot breaking).. They may be looking into this. We don't make any money off the data miners.

Re:Rights? Clearly abused.

[ruprechtjones]

The real issue here isn't insider information. It seems to be in my opinion trade secret.

I'm sorry, you are correct. This is a trade secret issue. If Air Canada can cough up the paperwork saying he was only allowed to use his insider information to book his own tickets and absolutely nothing else, then it's an open-shut case. If not, then it'll be interesting to see how WestJet's lawyers defend this dude.

The Funny Part

[Fortress]

For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.

Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!

Re:The Funny Part

[bluGill]

Thats not nearly as bad as the time My sister wanted to go Minneapolis-Washington D.C., and found the cheapest fare involved a plane change in Paris, France! She decided not to do that, but seriously considered spending a day in France both ways to see the sights, it would still save money. (IIRC she didn't have enough vacation time saved up)

Did'nt thay had some thing like this

[anandpur]

You are entering an Official Air Canada System, which may be used only for authorized purposes. Unauthorized modification of any information stored on this system may result in criminal prosecution. The Government may monitor and audit the usage of this system, and all persons are hereby notified that use of this system constitutes consent to such monitoring and auditing.

Re:Calling a spade a "spade" are we?

[jonwil]

Hopefully someone will come in, buy up the rights to any unix code SCO may actually own and GPL the whole thing. (Unixware, System V etc)
That would be the fitting end to all this lawsuit crap.

Everything not forbidden is permitted?

[hwestiii]

The story digest may have this completely wrong. It says "What do you do when you let an employee go? You kill their password and ID, right?"

The activity in question appears to have been facilitated by access granted as part of his severance package. As the article notes: "As part of his separation package when Lafond left Canadian Airlines in October 2000, he received two space-available airline tickets per year for five years. These tickets are booked through the private website."

The article is actually a little hazy on the details here. Though it doesn't specifically say so, it seems to imply that the separation agreement gave the terminated employee direct access to this private web site through a user name and password. One can imagine other ways this could be done that didn't involve direct access to the employee, like through a dedicated fulfillment provider, for example.

Either way, it sounds like it all amounts to some pretty dumb corporate behavior on the part of Air Canada. Either bad security practices if they didn't cut off the guy's access, or bad auditting if all that use went unnoticed for so long.

Re:The moral is?

[stecoop]

Shouldn't we as consumers clamor to have overbooking information too? I would think that if a flight is overbooked than I should see the statistics to determine if I want to buy the ticket.

Also on the flight loads, if I really (read it twice) want that information, I could have a bunch of apprentices sit outside the loading gates and count the people that boarded having them record the plane and route. Viola - got your information legally.

Re:If you deal in garbage, you might attract flies

[tarunthegreat]

It's not so much What Air Canada's doing, but how they went about it. There really doesn't seem to be much reason to give former employees access to private sites. Although it's not too clear in the article, the least they coulda done was create a separate network, with filtered data (i.e. a DB with just empty airline seats, and also coded in different ways so that you don't really have too much of a clue what's going on elsewhere...) Heck maybe the employee shouldn't even have visibility into what routes have empty seats, but just submit a request for an empty seat. (i.e. Instead of the system saying "we have 50 free seats to mexico today, take your pick" it should simply say " Mr. X, you have got the free seat to mexico today". ) How difficult would that be to do really? Even simpler is not allowing the former employees access to private sites, severance or not. This is simply laziness on Air Canada's part (hell we have to give these bozos free tickets, so let's just give 'em a little more access).Air Canada got what it deserves, and if anything, it should be Air Canada's investors suing Air Canada!

Always change passwords when employees leave

[Punk+Walrus]

Back when I did contract work, I always told my employers, via public e-mail, to change the system passwords, and then listen which systems I had access to. This way, if they ever got hacked, I could always say, "Well, I *told* you to change them..."

I'm not sure anymore if that would help, but I know at least one company never changed their passwords because their vendors kept paging me, up to a year later, to "go into the system and make these changes." One of the vendor contacts and I had became good friends, and one day he begged, "We can't get in, and those bozos won't answer our pages." So I told them the last password I had, stating it probably wouldn't work. Nope, he got right in. Root access to a major gateway.

And the password was easy too, like abc123 "That's the combo on my luggage" easy. Considering this gateway controlled 48 T1 lines to a large call center, I shudder to think how it could be used if phreaked.

Hello? Air Canada I.T. Department?

[bbq_jedi]

Quote from Wompom website:
" If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."

http://www.wompom.ca/news/wp2004apr07.htm#1

Duh...

law

[Ryntis]

im not up on canadian law.. but if its anything like the US they better hope he signed his non-competition agreement nice and clear :)

Re:If you deal in garbage, you might attract flies

[tuxlove]

It turns out they are a security hole. That makes them a bad idea, even if they are a way to save money for the airlines

That's a bit shortsighted, isn't it? These tickets are a great idea all the way around. It's how they give access to the information that's at fault, not the concept of zero-cost tickets. That's like saying that because you killed someone with your car, all cars are a bad idea. The problem here is that Air Canada's website allowed an individual to do 600,000 lookups (whateve the number was). There should be a reasonable limit, like 100 a day or less. There's no reason for any one person to have more than that, and with such a limit in place the program should be able to continue without a problem.

Re:What was the TOS? Was there even one?

[oconnorcjo]

Terms of service are displayed so that the provider can discontinue the service to that particular client if he breaks them, it's never used to sue anyone. He didn't seem to hurt their website significantly (after all, it was months before they noticed it?) so there's nothing illegal in that. OTOH, if he signed (and not just viewed or clicked on a button), a confidentiality agreement, then he's fucked.

Personally I think even if he is "squeaky cleen by the law", I still think he is a sleaze bag. Even if it was legally allowable, he knew his previous employer would not want him doing that and he abused the severance package that they gave him to F#(k them over. Seems like a person I would not want to hire in the first place and understandable why they let him go.

I'm all for timeliness of data

[Perrin7]

but logging into a website 32 times an hour for 10 months; is that really necessary to get the information Westjet is accused of using?

I would think a couple of times an hour at most would be all that is required to gather flight loads. I can't see a whole lot of passengers waiting until 2 minutes before the flight to book their tickets (it may happen once or twice, but over the course of months those will be anomolies). So either Westjet was being stupid and killed the goose that laid the golden egg, or there is a lot more going on than we being told.

binary is for computers, not humans

[Doc+Ruby]

Air Canada is liable to those whose data (and lives) they protect, for leaving the door unlocked on a busy street. And the ex-employee is liable for trespassing, regardless of their posession of an old key, once disinvited from the premises, to say nothing of theft and privacy invasion. Corporation vs. ex-employee is a false choice: they're all guilty.

Re:I'm not sure if I understand

[ratboy666]

Ok.

If this is a civil matter, you *may* be right.

If this is a CRIMINAL matter, you are very VERY wrong. Nothing to do with "...beyond a reason doubt." either.

And, just for your information, the US (I assume you are in that jursdication), does allow acts if there is no statement preventing said act. And that's in your constitution.

Not so in Canada, but I sure hope that AC has an agreement in place with the ex-employee. Without a mention of web site usage, they are pretty much fucked. Of course, this could be a last-gasp attempt at increasing AC stock price (what is it now? 1.10 CDN or so?) at WestJets expense.

Now, the ex-employee in question may or may not be a "geek". I'll leave that question alone. But if *I* were given marketing data, updated for five years, for my use *without* a rider restricting that use, I would sure use it. And, if sued, take it to the limit. $5 Million and any profits? Why, the counter-suit would be for the whole fucking company.

And that's why I think this is a very stupid move by the AC CEO. (and I fully expect that he expects a bail-out, and to keep his job).

Ratboy.

Re:If you deal in garbage, you might attract flies

[Sacarino]

Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.


Sorry, wrong!

Many airlines when you call to wait-list yourself on a flight will do just that.... You don't get any details about how full the flight is.

If you want to get particular, this is called Non-Revenue Space-Available. I can list myself on a flight that operates 4 months from now that may only have 4 people booked on it. Or, I can list myself on a flight that departs in 15 minutes that's oversold by 2 seats. If there's enough no-shows on the flight, I get a seat. The whole concept of non-rev travel means that if there's an open seat and you're ready to go, you can get it.

The value of that empty seat is $0 the moment the aircraft door closes, hence the airlines willingness to to allow employees or interline agreement employees to travel for free.

The ability to get listed on a flight is a totally seperate event from letting the guy have access to their reservations/booking system. That's just piss poor security procedures on the part of Air Canada.

I work in an airline dispatch office, so this is something I have some familiarity with.