Slashdot Mirror
Air Canada Sues Over Misuse Of Employee Password
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.
So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
Was that a typo... or is The Globe and Mail public on it's low opinion of venture capital operations?
We may see an interesting test case for the validity of website terms of serivce here, or maybe even what happens when a website forgets to cover a form of abuse in the TOS.
Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.
But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?
So, if there isn't a TOS on the page in question... things could get really interesting.
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
Finally a newspaper that calls a cat a cat!
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Of course you don't remove old IDs/PWDs, the larger the user database is, the cooler it looks.
Right?
It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?
Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.
How effectivly can a company regulate the way that information it discloses can be used?
IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?
From the article;
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.
"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.
Well, obviously he did use the information. It's just a matter of what he used it for.
"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."
___
It's the end of my comment as I know it and I feel fine.
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website
It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.
The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)
For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.
The real problem is the lack of security awareness by Air Canada.
The imformation could have been obtained by noting the place and departure times of all Air Canada's fleights. The ex-employee just made it easier.
Too, it looks like a sinking ship in search of rats.
"Using that confidential information, WestJet adjusted its own schedule, planned its expansion into new routes and adopted pricing strategies to force its larger competitor out of certain markets, Air Canada alleges."
This is an insider-information case, and he should get what's coming to him. Pure and simple. He abused a quirk, he and WestJet really don't have a strong case here.
Kip Hawley is an idiot.
I guess it depends on what terms and conditions were specified when they gave him the login and password. If he had to sign an agreement when he got them..presumably they would still be in effect as long as the Login/Password was active.
If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?
Hey, space-available tickets are a very good deal for the airlines and the employees who work for them. I probably would not be working for an airline if it weren't for the fact I've been to Europe twice, Japan once, and Mexico more times than I can remember in the last four years, all working at a salary barely twice the minimum wage. The Reservation center I work at has an extremely low turnover rate by call center standards, and most of my co-workers travel abroad on a regular basis. And the company gets lots of happy workers just by giving away the seats they can't sell.
But it's insider information he was explicitly allowed to have.
Air Canada fired him. Laid off. Not any longer employed but continued to give him access to information they wanted to keep private. They have, however, no reasonable expectation that this information would be kept private unless of coure it was previously arranged in the severance or rider contract.
Insider information isn't illegal perse. For example, if I went and physically counted the number of people getting on and off Air Canada planes at different times, and recorded that and sold it to WestJet things would be just fine. It's called market research.
The real issue here isn't insider information. It seems to be in my opinion trade secret.
How do you know that he didn't just automate checking which flights had empty seats on them, so he could take advantage of his free tickets?
Sure, it looks likely that he passed this information onto his new employer, but unless you are the defendant, how can you be so sure?
The world needs more people who don't just jump to conclusions from reading one newspaper article.
codegolf.com - smaller *is* better.
I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...
My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?
The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
-B
The real issue here isn't insider information. It seems to be in my opinion trade secret.
I'm sorry, you are correct. This is a trade secret issue. If Air Canada can cough up the paperwork saying he was only allowed to use his insider information to book his own tickets and absolutely nothing else, then it's an open-shut case. If not, then it'll be interesting to see how WestJet's lawyers defend this dude.
Kip Hawley is an idiot.
For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.
Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!
How do we know they were 'cool' scripts. If he was such a great scripter, why was he let go.. or is simple web crawler enough to pass for 'cool' these days. Perhaps they were among some of the most inefficient scripts of all time, rivaling those found in the Hall of Terrible Programming.
You are entering an Official Air Canada System, which may be used only for authorized purposes. Unauthorized modification of any information stored on this system may result in criminal prosecution. The Government may monitor and audit the usage of this system, and all persons are hereby notified that use of this system constitutes consent to such monitoring and auditing.
The story digest may have this completely wrong. It says "What do you do when you let an employee go? You kill their password and ID, right?"
The activity in question appears to have been facilitated by access granted as part of his severance package. As the article notes: "As part of his separation package when Lafond left Canadian Airlines in October 2000, he received two space-available airline tickets per year for five years. These tickets are booked through the private website."
The article is actually a little hazy on the details here. Though it doesn't specifically say so, it seems to imply that the separation agreement gave the terminated employee direct access to this private web site through a user name and password. One can imagine other ways this could be done that didn't involve direct access to the employee, like through a dedicated fulfillment provider, for example.
Either way, it sounds like it all amounts to some pretty dumb corporate behavior on the part of Air Canada. Either bad security practices if they didn't cut off the guy's access, or bad auditting if all that use went unnoticed for so long.
In Denmark where I live the rules are simple.
You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.
I would guess that Canada have some similar laws.
So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.
-:) Oh no - not again.
www.rednebula.com
It's not so much What Air Canada's doing, but how they went about it. There really doesn't seem to be much reason to give former employees access to private sites. Although it's not too clear in the article, the least they coulda done was create a separate network, with filtered data (i.e. a DB with just empty airline seats, and also coded in different ways so that you don't really have too much of a clue what's going on elsewhere...) Heck maybe the employee shouldn't even have visibility into what routes have empty seats, but just submit a request for an empty seat. (i.e. Instead of the system saying "we have 50 free seats to mexico today, take your pick" it should simply say " Mr. X, you have got the free seat to mexico today". ) How difficult would that be to do really? Even simpler is not allowing the former employees access to private sites, severance or not. This is simply laziness on Air Canada's part (hell we have to give these bozos free tickets, so let's just give 'em a little more access).Air Canada got what it deserves, and if anything, it should be Air Canada's investors suing Air Canada!
They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.
Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
This guy is the reason the IT industry is full of non-compete contracts... what a 100% total asshole.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
According to this logic
Which logic is that? Certainly not any that was posted here.
if you leave your front door unlocked, and I walk in and take your stuff, it's OK, because you allowed me access to it
No. More like: if I gave you a key to my front door, and told you to take whatever you wanted from my fridge, and you come in, clean out the fridge, and sell it to the market across the street, then it's OK, because I gave you access to it.
Which it would be (because I have given you permission.)
he was clearly in the wrong with his actions
Not necessarily. If he had an agreement that he wouldn't give/sell the information to anyone, then you may have a point, but if there was no such agreement, then he's quite clearly not in the wrong.
I don't think this qualifies as insider information, but more appropriately called company proprietary, or company confidential information
If it was proprietary, or confidential, then the company should have had measures in place to keep it that way. You can't give something to someone with no strings attached, and then cry foul when they use it for something you don't like.
I'm not sure anymore if that would help, but I know at least one company never changed their passwords because their vendors kept paging me, up to a year later, to "go into the system and make these changes." One of the vendor contacts and I had became good friends, and one day he begged, "We can't get in, and those bozos won't answer our pages." So I told them the last password I had, stating it probably wouldn't work. Nope, he got right in. Root access to a major gateway.
And the password was easy too, like abc123 "That's the combo on my luggage" easy. Considering this gateway controlled 48 T1 lines to a large call center, I shudder to think how it could be used if phreaked.
'The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website'
Let's see who's visiting our website last month...OMG!
How could a commercial website be so clueless?
sig mind freed
Quote from Wompom website:
" If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."
http://www.wompom.ca/news/wp2004apr07.htm#1
Duh...
Issue 1: Stupidity of the organization to not lock down permissions and/or kill the account/password.
Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.
Both need to harbor the blame for their part.
Just be careful. These are only allegations, and one should take any claims that Air Canada makes about WestJet with a couple of grains of salt. They have a huge WestJet complex. Not that I'm saying that this kind of thing couldn't happen.
www.timcoleman.com is a total waste of your time. Never go there.
im not up on canadian law.. but if its anything like the US they better hope he signed his non-competition agreement nice and clear :)
What you say is true, but you completely missed the point. By giving space-available tickets to an ex-employee, they opened themselves up to this sort of stuff. He wasn't saying that SA tackets are a dumb idea, only that it's dumb to give them to someone who doesn't work for the company anymore.
If a job's not worth doing, it's not worth doing right.
Lawsuit aside, what about this guy's sense of professional ethics? Regardless of what TOS the AC site put up, or whether the guy could get away with it on a technicality, who wants that type of person working at their company?
And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...
It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.
I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...
Pixie
don't mess with those geekgrrls
What does this say about outsourcing VS IT security ... and India too.
It turns out they are a security hole. That makes them a bad idea, even if they are a way to save money for the airlines
That's a bit shortsighted, isn't it? These tickets are a great idea all the way around. It's how they give access to the information that's at fault, not the concept of zero-cost tickets. That's like saying that because you killed someone with your car, all cars are a bad idea. The problem here is that Air Canada's website allowed an individual to do 600,000 lookups (whateve the number was). There should be a reasonable limit, like 100 a day or less. There's no reason for any one person to have more than that, and with such a limit in place the program should be able to continue without a problem.
Jesus, write a script kiddie toy to use the existing front end to interrogate the back end once a minute for ten months? What the hell is that?
... and it snowballed from there as some sort of clandestine 'upper-management wants to be a hacker' way. Then again it worked and helped them on the business side in a massive way so I guess it wasn't completely stupid. Except for getting caught, of course, hammering on the system day and night for 10 months and leaving an audit trail as long as your arm.
If you are going to hack, HACK. Hook up directly to the database back end and write some SQL to extract all the data at once and have it spit out nice neat reports summarizing the data. Run it once a day at most.
Somehow I think this guy was showing off to his boss the first week like some newbie - probably said 'hey check this out' the first day when showing it to him without thinking through the long term ramifications
Glonoinha the MebiByte Slayer
it's dumb to give them to someone who doesn't work for the company anymore.
Yeah, someone who works for the company would never do anything nefarious with the information, would they? It just seems obvious that everyone with access to the site, employees or otherwise, should have limits placed on accesses. It's crazy to allow anyone hundreds of thousands of queries.
but logging into a website 32 times an hour for 10 months; is that really necessary to get the information Westjet is accused of using?
I would think a couple of times an hour at most would be all that is required to gather flight loads. I can't see a whole lot of passengers waiting until 2 minutes before the flight to book their tickets (it may happen once or twice, but over the course of months those will be anomolies). So either Westjet was being stupid and killed the goose that laid the golden egg, or there is a lot more going on than we being told.
Non-Canadian airlines will fly in and out of Canadian cities, but there are a bunch of regulations preventing them from being true competition for Air Canada. For instance, Delta can't fly from Toronto to Vancouver to Tokyo. We have to fly from Toronto to Chicago to Tokyo instead. Something like that, as I understand it.
In any case, some of the smaller airlines (like Air Transat) have been constantly growing and adding new routes, but it takes a while.
Air Canada is liable to those whose data (and lives) they protect, for leaving the door unlocked on a busy street. And the ex-employee is liable for trespassing, regardless of their posession of an old key, once disinvited from the premises, to say nothing of theft and privacy invasion. Corporation vs. ex-employee is a false choice: they're all guilty.
--
make install -not war
Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.
Sorry, wrong!
Many airlines when you call to wait-list yourself on a flight will do just that.... You don't get any details about how full the flight is.
If you want to get particular, this is called Non-Revenue Space-Available. I can list myself on a flight that operates 4 months from now that may only have 4 people booked on it. Or, I can list myself on a flight that departs in 15 minutes that's oversold by 2 seats. If there's enough no-shows on the flight, I get a seat. The whole concept of non-rev travel means that if there's an open seat and you're ready to go, you can get it.
The value of that empty seat is $0 the moment the aircraft door closes, hence the airlines willingness to to allow employees or interline agreement employees to travel for free.
The ability to get listed on a flight is a totally seperate event from letting the guy have access to their reservations/booking system. That's just piss poor security procedures on the part of Air Canada.
I work in an airline dispatch office, so this is something I have some familiarity with.
-- El Sacarino tiene gusto de la chocha
Complete nonsense. Using a non-sequitur to evoke an emotional response may pass for debate in Canada, but not here in US, eh.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
That's a very interesting observation. Air Canada was indeed negligent here, but how many times have you written code to limit such a thing? When you're trying to get something working and bug-free, it's hard to think of every nefarious thing someone could do with your application. I think this is more an issue of a webmaster failing to look over logs in order to later take corrective action.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.
Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?
"I have never let my schooling interfere with my education." - Mark Twain
I've actually had the opportunity to use these "space-available" tickets from time to time (my dad worked for an airline), and unfortunately "there are / aren't some free seats" isn't enough information to plan your trip... your seat basically isn't confirmed until all the paying customers are physically on the plane, so knowing whether there are 2 or 20 seats available the day before makes a big difference as to how likely you are to end up stuck at the airport.
That having been said, since I wasn't an actual employee I couldn't use the web site myself, I had to call and speak to a human operator. They'd tell me the actual number of open seats, but it seems unlikely WestJet would be able to do this 240,000 times without somebody catching on :P. (of course, then Air Canada would have their former employees suing them over interminable hold times, but that's a whole different problem.)