Slashdot Mirror


Air Canada Sues Over Misuse Of Employee Password

Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.

8 of 215 comments (clear)

  1. Thou shalt check thine logs... by LostCluster · · Score: 4, Interesting

    The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website

    It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.

    1. Re:Thou shalt check thine logs... by Tom · · Score: 4, Interesting

      You've never admin'ed a major site, have you?

      I have (16k hits/min during the business day). Something like 750 hits per day is well below the line noise threshold for any large site. Unless you look for patterns like that intentionally, you'll never notice.

      --
      Assorted stuff I do sometimes: Lemuria.org
    2. Re:Thou shalt check thine logs... by Ami+Ganguli · · Score: 4, Interesting

      Say 40k employees look at the site an average of once a month (I'd probably check it out once a week myself, so I think this is a low estimate).

      Each time you log in you probably do five or so hits, for 200k hits a month, or over 6000hits/day.

      750 extra hits a day should be noticed, but I doubt anybody cares enough about the traffic on an internal web site to find out why it's gone up by 12% or so. If it happened suddenly on our public site, I'd definately care, but if it happens on our Intranet it's just an interesting statistic.

      Of course, somebody did notice eventually. But it doesn't surprize me that it took a long time to figure out.

      --
      It is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail. - Abraham Maslow
  2. Turnabout... by Anonymous Coward · · Score: 5, Interesting

    The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)

    For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.

  3. Dealing with this right now by beacher · · Score: 4, Interesting

    I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...

    My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?

    The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
    -B

    1. Re:Dealing with this right now by beacher · · Score: 4, Interesting

      You do have a firewall, right? Absolutely

      So that when the finally realize they have been poisoned it will be too late to do anything about it.
      Not ethical and impractical. Just how many requests does it take before you start poisoning? 1000 per hour? We get that many hits from AOL and they come in through a gateway. If we were poisoning legitimate users data, that would be unacceptible.

      Why don't you go the ebay way and provide an API into your web site, then change the format slightly every month so breaking the web crawlers? After all, you may as well make money out of the data miners. We have *extensive* APIs into most of our systems. We're trying to get the bots to use and license the APIs. I have been talking with some of the developers to try to put some unicode inside (human readable but bot breaking).. They may be looking into this. We don't make any money off the data miners.

  4. The Funny Part by Fortress · · Score: 5, Interesting

    For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.

    Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!

  5. Hello? Air Canada I.T. Department? by bbq_jedi · · Score: 5, Interesting

    Quote from Wompom website:
    " If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."

    http://www.wompom.ca/news/wp2004apr07.htm#1

    Duh...