Air Canada Sues Over Misuse Of Employee Password

Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.

If you deal in garbage, you might attract flies.

[LostCluster]

To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.

So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.

Calling a spade a "spade" are we?

[LostCluster]

Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.

Was that a typo... or is The Globe and Mail public on it's low opinion of venture capital operations?

Re:Calling a spade a "spade" are we?

[asreal]

Yes, they meant vultures. Air Canada is dying, and these funds are just waiting for them to keel over before they swoop down for the feed. Thus, vulture funds.

Re:Calling a spade a "spade" are we?

[Zocalo]

Actually "vulture capital" is a legitimate term for people that buy failing companies in order to asset strip and so on. Quite literally picking over the bones of the corporate carcass for stray morsels of value. If you are in Utah you can see some circling over Salt Lake City waiting for SCO to finally croak.

Re:Calling a spade a "spade" are we?

[qvanderm]

Not a typo. Vulture Funds specialize in 'distressed' investments. A money-burning operation like Air Canada certainly qualifies.

What was the TOS? Was there even one?

[LostCluster]

We may see an interesting test case for the validity of website terms of serivce here, or maybe even what happens when a website forgets to cover a form of abuse in the TOS.

Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.

But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?

So, if there isn't a TOS on the page in question... things could get really interesting.

Re:What was the TOS? Was there even one?

[Tirel]

Terms of service are displayed so that the provider can discontinue the service to that particular client if he breaks them, it's never used to sue anyone. He didn't seem to hurt their website significantly (after all, it was months before they noticed it?) so there's nothing illegal in that.

OTOH, if he signed (and not just viewed or clicked on a button), a confidentiality agreement, then he's fucked.

Excellent newspaper

[Rosco+P.+Coltrane]

Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.

Finally a newspaper that calls a cat a cat!

I'm not sure if I understand

[PsiPsiStar]

It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?

Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.

How effectivly can a company regulate the way that information it discloses can be used?

IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?

From the article;



The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.

"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.

Well, obviously he did use the information. It's just a matter of what he used it for.



"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."

Re:I'm not sure if I understand

[Bishop]

I know it is hard for geeks to understand, but there is more to law then what is written down in black and white.

In this civil suit one of the arguments that will be put forward by Air Canada is whether the use of the information was "reasonable." Their argument will probably include examples of similar agrements all in a effort to convince a judge. It is unlikely that there is any document that states how many times a person can log into the site, or what they may use the information found on the site for. These statements are unecessary.

The "reasonable" test goes far beyond what has been written on paper. It appears all over civil and criminal law in every court that has ever been influenced by the British, and probably the other European powers as well. It is a giant catch all in some respects. This test is even found at the heart of modern justice in the phrase "...beyond a reasonable doubt."

Slashdot has reported on many cases where geeks have gotten into trouble when they have assumed that an act was permitted becuase there is no statement preventing said act. This is never the case. In all laws, and in all contracts there is always an implied element of what is reasonable.

Thou shalt check thine logs...

[LostCluster]

The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website

It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.

Re:Thou shalt check thine logs...

[Willeh]

Or they just assumed he was a compulsive, obsessive control freak checking up on his flight every 5 seconds, and that was the reason they fired him in the first place.

Re:Thou shalt check thine logs...

[Tom]

You've never admin'ed a major site, have you?

I have (16k hits/min during the business day). Something like 750 hits per day is well below the line noise threshold for any large site. Unless you look for patterns like that intentionally, you'll never notice.

Re:Thou shalt check thine logs...

[Ami+Ganguli]

Say 40k employees look at the site an average of once a month (I'd probably check it out once a week myself, so I think this is a low estimate).

Each time you log in you probably do five or so hits, for 200k hits a month, or over 6000hits/day.

750 extra hits a day should be noticed, but I doubt anybody cares enough about the traffic on an internal web site to find out why it's gone up by 12% or so. If it happened suddenly on our public site, I'd definately care, but if it happens on our Intranet it's just an interesting statistic.

Of course, somebody did notice eventually. But it doesn't surprize me that it took a long time to figure out.

Turnabout...

The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)

For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.

Re:If you deal in garbage, you might attract flies

[Beeswarm]

Hey, space-available tickets are a very good deal for the airlines and the employees who work for them. I probably would not be working for an airline if it weren't for the fact I've been to Europe twice, Japan once, and Mexico more times than I can remember in the last four years, all working at a salary barely twice the minimum wage. The Reservation center I work at has an extremely low turnover rate by call center standards, and most of my co-workers travel abroad on a regular basis. And the company gets lots of happy workers just by giving away the seats they can't sell.

Re:Rights? Clearly abused.

[danheskett]

But it's insider information he was explicitly allowed to have.

Air Canada fired him. Laid off. Not any longer employed but continued to give him access to information they wanted to keep private. They have, however, no reasonable expectation that this information would be kept private unless of coure it was previously arranged in the severance or rider contract.

Insider information isn't illegal perse. For example, if I went and physically counted the number of people getting on and off Air Canada planes at different times, and recorded that and sold it to WestJet things would be just fine. It's called market research.

The real issue here isn't insider information. It seems to be in my opinion trade secret.

Dealing with this right now

[beacher]

I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...

My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?

The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
-B

Re:Dealing with this right now

shutting it off is the weak minds way to resolve the issue.

identify the bots and slowly poison their data instead. thats how a man should do it.
whenever the bot is digging into your data, instead of real data feed it fake garbage data instead. poisoned garbage data should however only be slightly off not to make it obvious that it is garbage data. the point is : it should take long to realize that the data is posioned. When they realize the data is poisoned they should not be able to tell what data is real and what is poisoned so they will have to throw ALL data away.

So that when the finally realize they have been poisoned it will be too late to do anything about it.

Re:Dealing with this right now

[beacher]

You do have a firewall, right? Absolutely

So that when the finally realize they have been poisoned it will be too late to do anything about it.
Not ethical and impractical. Just how many requests does it take before you start poisoning? 1000 per hour? We get that many hits from AOL and they come in through a gateway. If we were poisoning legitimate users data, that would be unacceptible.

Why don't you go the ebay way and provide an API into your web site, then change the format slightly every month so breaking the web crawlers? After all, you may as well make money out of the data miners. We have *extensive* APIs into most of our systems. We're trying to get the bots to use and license the APIs. I have been talking with some of the developers to try to put some unicode inside (human readable but bot breaking).. They may be looking into this. We don't make any money off the data miners.

Re:The moral is?

[Beeswarm]

Wrong. The information in question would have to be the flight loads. This would tell you how many people are booked on a specific flight and how many overbookings are allowed. To an employee, this information would be used to plan their travel by seeing which flights they would most likely to get on as a space-available rider. To a competitor, this information would be useful for determining which routes are more profitible because the seats are always full, and which routes already have too much seat capacity.

The Funny Part

[Fortress]

For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.

Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!

Re:The Funny Part

[Snosty]

On a slightly related note I was booking a flight from Vancouver to London last year and found the cheapest flight in the area was from Seattle to London via Vancouver on Air Canada. Booking the direct flight from Vancouver to London on Air Canada was nearly twice as expensive as taking a commuter flight from Seattle to Vancouver and then getting on that same direct flight to London.

Why not skip the Seattle leg and get on in Vancouver? If you miss the first leg of a flight you are not allowed to make the second leg even when in this case there was an 8 hour layover in Vancouver. As Seattle is only 2.5 hours drive from Vancouver it is conceivable someone could miss the flight from Seattle to Vancouver and still quite easily make the flight from Vancouver to London by catching the train north.

My point, anyways, was that I was pissed that an airline subsidized by Canadian taxpayers was offering flights to Americans at just over half the price they were offering it to Canadians.

And before any of you idiots ask the price difference had nothing to do with the exchange rate. ;)

Not how - but what.

[Saggi]

In Denmark where I live the rules are simple.

You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.

I would guess that Canada have some similar laws.

So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.

Re:If you deal in garbage, you might attract flies

[LostCluster]

They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.

Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...

reason window whatever

[spottedkangaroo]

This guy is the reason the IT industry is full of non-compete contracts... what a 100% total asshole.

Re:It's all about size.

[CoderDevo]

In fact, you shouldn't. You should just have a bit-flag on the accounts saying that they're not allowed to log in... you never know when somebody's coming back to the company and would need their account reactivated.

Actually, there is no harm in deleting the account. It is typical practice to delete all accounts 30-90 days after an employee leaves. My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.) But we have no problem with re-issuing an ID to a new employee if the ID has not been used for a few years.

However, deleting or disabling the account would not have worked for Air Canada since they already agreed to give the ex-employee access to their space-available tickets website for the 5 years following his departure.

They could have instead analyzed website activity looking for anomolies, but that may not have worked either since they hadn't anticipated this type of misuse. A better solution would be to not give ex-employees access to any internal data at all. Instead, provide non-employees with only a phone number for a ticket agent who can book the flights for them. But then, that is more expensive. There is risk in being cheap.

Hello? Air Canada I.T. Department?

[bbq_jedi]

Quote from Wompom website:
" If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."

http://www.wompom.ca/news/wp2004apr07.htm#1

Duh...

How about Professional Ethics?

[sillypixie]

Lawsuit aside, what about this guy's sense of professional ethics? Regardless of what TOS the AC site put up, or whether the guy could get away with it on a technicality, who wants that type of person working at their company?

And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...

It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.

I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...

Pixie

Re:If you deal in garbage, you might attract flies

[RobinH]

The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.

Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.

Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?