Slashdot Mirror
Air Canada Sues Over Misuse Of Employee Password
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.
So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
Was that a typo... or is The Globe and Mail public on it's low opinion of venture capital operations?
We may see an interesting test case for the validity of website terms of serivce here, or maybe even what happens when a website forgets to cover a form of abuse in the TOS.
Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.
But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?
So, if there isn't a TOS on the page in question... things could get really interesting.
Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.
Finally a newspaper that calls a cat a cat!
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Of course you don't remove old IDs/PWDs, the larger the user database is, the cooler it looks.
Right?
It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?
Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.
How effectivly can a company regulate the way that information it discloses can be used?
IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?
From the article;
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.
"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.
Well, obviously he did use the information. It's just a matter of what he used it for.
"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."
___
It's the end of my comment as I know it and I feel fine.
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website
It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.
The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)
For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.
I guess it depends on what terms and conditions were specified when they gave him the login and password. If he had to sign an agreement when he got them..presumably they would still be in effect as long as the Login/Password was active.
If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?
Hey, space-available tickets are a very good deal for the airlines and the employees who work for them. I probably would not be working for an airline if it weren't for the fact I've been to Europe twice, Japan once, and Mexico more times than I can remember in the last four years, all working at a salary barely twice the minimum wage. The Reservation center I work at has an extremely low turnover rate by call center standards, and most of my co-workers travel abroad on a regular basis. And the company gets lots of happy workers just by giving away the seats they can't sell.
But it's insider information he was explicitly allowed to have.
Air Canada fired him. Laid off. Not any longer employed but continued to give him access to information they wanted to keep private. They have, however, no reasonable expectation that this information would be kept private unless of coure it was previously arranged in the severance or rider contract.
Insider information isn't illegal perse. For example, if I went and physically counted the number of people getting on and off Air Canada planes at different times, and recorded that and sold it to WestJet things would be just fine. It's called market research.
The real issue here isn't insider information. It seems to be in my opinion trade secret.
I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...
My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?
The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
-B
The real issue here isn't insider information. It seems to be in my opinion trade secret.
I'm sorry, you are correct. This is a trade secret issue. If Air Canada can cough up the paperwork saying he was only allowed to use his insider information to book his own tickets and absolutely nothing else, then it's an open-shut case. If not, then it'll be interesting to see how WestJet's lawyers defend this dude.
Kip Hawley is an idiot.
Wrong. The information in question would have to be the flight loads. This would tell you how many people are booked on a specific flight and how many overbookings are allowed. To an employee, this information would be used to plan their travel by seeing which flights they would most likely to get on as a space-available rider. To a competitor, this information would be useful for determining which routes are more profitible because the seats are always full, and which routes already have too much seat capacity.
For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.
Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!
How do we know they were 'cool' scripts. If he was such a great scripter, why was he let go.. or is simple web crawler enough to pass for 'cool' these days. Perhaps they were among some of the most inefficient scripts of all time, rivaling those found in the Hall of Terrible Programming.
In Denmark where I live the rules are simple.
You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.
I would guess that Canada have some similar laws.
So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.
-:) Oh no - not again.
www.rednebula.com
It's not so much What Air Canada's doing, but how they went about it. There really doesn't seem to be much reason to give former employees access to private sites. Although it's not too clear in the article, the least they coulda done was create a separate network, with filtered data (i.e. a DB with just empty airline seats, and also coded in different ways so that you don't really have too much of a clue what's going on elsewhere...) Heck maybe the employee shouldn't even have visibility into what routes have empty seats, but just submit a request for an empty seat. (i.e. Instead of the system saying "we have 50 free seats to mexico today, take your pick" it should simply say " Mr. X, you have got the free seat to mexico today". ) How difficult would that be to do really? Even simpler is not allowing the former employees access to private sites, severance or not. This is simply laziness on Air Canada's part (hell we have to give these bozos free tickets, so let's just give 'em a little more access).Air Canada got what it deserves, and if anything, it should be Air Canada's investors suing Air Canada!
They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.
Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
This guy is the reason the IT industry is full of non-compete contracts... what a 100% total asshole.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
I'm not sure anymore if that would help, but I know at least one company never changed their passwords because their vendors kept paging me, up to a year later, to "go into the system and make these changes." One of the vendor contacts and I had became good friends, and one day he begged, "We can't get in, and those bozos won't answer our pages." So I told them the last password I had, stating it probably wouldn't work. Nope, he got right in. Root access to a major gateway.
And the password was easy too, like abc123 "That's the combo on my luggage" easy. Considering this gateway controlled 48 T1 lines to a large call center, I shudder to think how it could be used if phreaked.
Quote from Wompom website:
" If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."
http://www.wompom.ca/news/wp2004apr07.htm#1
Duh...
Issue 1: Stupidity of the organization to not lock down permissions and/or kill the account/password.
Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.
Both need to harbor the blame for their part.
Just be careful. These are only allegations, and one should take any claims that Air Canada makes about WestJet with a couple of grains of salt. They have a huge WestJet complex. Not that I'm saying that this kind of thing couldn't happen.
www.timcoleman.com is a total waste of your time. Never go there.
Lawsuit aside, what about this guy's sense of professional ethics? Regardless of what TOS the AC site put up, or whether the guy could get away with it on a technicality, who wants that type of person working at their company?
And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...
It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.
I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...
Pixie
don't mess with those geekgrrls
What does this say about outsourcing VS IT security ... and India too.
It turns out they are a security hole. That makes them a bad idea, even if they are a way to save money for the airlines
That's a bit shortsighted, isn't it? These tickets are a great idea all the way around. It's how they give access to the information that's at fault, not the concept of zero-cost tickets. That's like saying that because you killed someone with your car, all cars are a bad idea. The problem here is that Air Canada's website allowed an individual to do 600,000 lookups (whateve the number was). There should be a reasonable limit, like 100 a day or less. There's no reason for any one person to have more than that, and with such a limit in place the program should be able to continue without a problem.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.
Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?
"I have never let my schooling interfere with my education." - Mark Twain