Forgot your password?
typodupeerror
Security Government The Courts Your Rights Online News

Air Canada Sues Over Misuse Of Employee Password 215

Posted by michael
from the oh-canada dept.
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
This discussion has been archived. No new comments can be posted.

Air Canada Sues Over Misuse Of Employee Password

Comments Filter:
  • by LostCluster (625375) * on Wednesday April 07, 2004 @06:02AM (#8790368)
    To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.

    So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.
    • by Beeswarm (693535) on Wednesday April 07, 2004 @06:19AM (#8790419)
      Hey, space-available tickets are a very good deal for the airlines and the employees who work for them. I probably would not be working for an airline if it weren't for the fact I've been to Europe twice, Japan once, and Mexico more times than I can remember in the last four years, all working at a salary barely twice the minimum wage. The Reservation center I work at has an extremely low turnover rate by call center standards, and most of my co-workers travel abroad on a regular basis. And the company gets lots of happy workers just by giving away the seats they can't sell.
      • It's not so much What Air Canada's doing, but how they went about it. There really doesn't seem to be much reason to give former employees access to private sites. Although it's not too clear in the article, the least they coulda done was create a separate network, with filtered data (i.e. a DB with just empty airline seats, and also coded in different ways so that you don't really have too much of a clue what's going on elsewhere...) Heck maybe the employee shouldn't even have visibility into what routes h
      • by LostCluster (625375) * on Wednesday April 07, 2004 @07:55AM (#8790686)
        They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.

        Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
      • Hey, space-available tickets are a very good deal for the airlines and the employees who work for them.

        What you say is true, but you completely missed the point. By giving space-available tickets to an ex-employee, they opened themselves up to this sort of stuff. He wasn't saying that SA tackets are a dumb idea, only that it's dumb to give them to someone who doesn't work for the company anymore.

        • it's dumb to give them to someone who doesn't work for the company anymore.

          Yeah, someone who works for the company would never do anything nefarious with the information, would they? It just seems obvious that everyone with access to the site, employees or otherwise, should have limits placed on accesses. It's crazy to allow anyone hundreds of thousands of queries.
    • Jesus, write a script kiddie toy to use the existing front end to interrogate the back end once a minute for ten months? What the hell is that?

      If you are going to hack, HACK. Hook up directly to the database back end and write some SQL to extract all the data at once and have it spit out nice neat reports summarizing the data. Run it once a day at most.

      Somehow I think this guy was showing off to his boss the first week like some newbie - probably said 'hey check this out' the first day when showing it
    • Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.


      Sorry, wrong!

      Many airlines when you call to wait-list yourself on a flight will do just that.... You don't get any details about how full the flight is.

      If you want to get particular, this is called Non-Revenue Space-Available. I can list myself on a flight that operates 4 months from now that may only have 4 peop
  • by LostCluster (625375) * on Wednesday April 07, 2004 @06:04AM (#8790374)
    Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.

    Was that a typo... or is The Globe and Mail public on it's low opinion of venture capital operations?
  • by LostCluster (625375) * on Wednesday April 07, 2004 @06:06AM (#8790379)
    We may see an interesting test case for the validity of website terms of serivce here, or maybe even what happens when a website forgets to cover a form of abuse in the TOS.

    Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.

    But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?

    So, if there isn't a TOS on the page in question... things could get really interesting.
    • by Tirel (692085) on Wednesday April 07, 2004 @06:18AM (#8790418)
      Terms of service are displayed so that the provider can discontinue the service to that particular client if he breaks them, it's never used to sue anyone. He didn't seem to hurt their website significantly (after all, it was months before they noticed it?) so there's nothing illegal in that.

      OTOH, if he signed (and not just viewed or clicked on a button), a confidentiality agreement, then he's fucked.
      • Terms of service are displayed so that the provider can discontinue the service to that particular client if he breaks them, it's never used to sue anyone. He didn't seem to hurt their website significantly (after all, it was months before they noticed it?) so there's nothing illegal in that. OTOH, if he signed (and not just viewed or clicked on a button), a confidentiality agreement, then he's fucked.

        Personally I think even if he is "squeaky cleen by the law", I still think he is a sleaze bag. Even if

    • He must surely have signed some sort of compromise agreement when he left, or else where does the fact that he had five years' access come from?

      And if the agreement was drafted without a clause saying he couldn't reveal information to a competitor, then the company's legal/HR team should be fired, not this bloke.

  • by Rosco P. Coltrane (209368) on Wednesday April 07, 2004 @06:07AM (#8790382)
    Some of Canada's largest pension funds as well as Toronto conglomerate Onex Corp. and several U.S. vulture funds have been mentioned as possible replacement investors in the airline.

    Finally a newspaper that calls a cat a cat!
  • by NickeB (763713) on Wednesday April 07, 2004 @06:10AM (#8790387)
    Of course you don't remove old IDs/PWDs, the larger the user database is, the cooler it looks.
    Right?
    • In fact, you shouldn't. You should just have a bit-flag on the accounts saying that they're not allowed to log in... you never know when somebody's coming back to the company and would need their account reactivated.
      • Keep it, as you also might want to know for security reasons if a former employee tries to login.
      • by CoderDevo (30602) <coderdevo@hotmail.com> on Wednesday April 07, 2004 @08:18AM (#8790805) Homepage
        In fact, you shouldn't. You should just have a bit-flag on the accounts saying that they're not allowed to log in... you never know when somebody's coming back to the company and would need their account reactivated.

        Actually, there is no harm in deleting the account. It is typical practice to delete all accounts 30-90 days after an employee leaves. My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.) But we have no problem with re-issuing an ID to a new employee if the ID has not been used for a few years.

        However, deleting or disabling the account would not have worked for Air Canada since they already agreed to give the ex-employee access to their space-available tickets website for the 5 years following his departure.

        They could have instead analyzed website activity looking for anomolies, but that may not have worked either since they hadn't anticipated this type of misuse. A better solution would be to not give ex-employees access to any internal data at all. Instead, provide non-employees with only a phone number for a ticket agent who can book the flights for them. But then, that is more expensive. There is risk in being cheap.

        • My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.)

          This is a really good, and should be one of the first lessons taught, lesson in application design. Your authentication database should be used only for that. A related identity table should do the trick.
  • by PsiPsiStar (95676) on Wednesday April 07, 2004 @06:10AM (#8790391)
    It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?

    Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.

    How effectivly can a company regulate the way that information it discloses can be used?

    IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?

    From the article;



    The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.

    "The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.


    Well, obviously he did use the information. It's just a matter of what he used it for.



    "Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."
    • Would he be equally culpable if he repeatedly tried, on a smaller scale, to book free tickets from work which he cancelled at the last minute and his new employer was monitoring his PC without his knowledge?

      Or in this case, what if his employer or some unknown party snooped his login and then proceeded to misuse it without his knowledge? Sounds like a reasonable defence...
    • by Bishop (4500) on Wednesday April 07, 2004 @10:02AM (#8791650)
      I know it is hard for geeks to understand, but there is more to law then what is written down in black and white.

      In this civil suit one of the arguments that will be put forward by Air Canada is whether the use of the information was "reasonable." Their argument will probably include examples of similar agrements all in a effort to convince a judge. It is unlikely that there is any document that states how many times a person can log into the site, or what they may use the information found on the site for. These statements are unecessary.

      The "reasonable" test goes far beyond what has been written on paper. It appears all over civil and criminal law in every court that has ever been influenced by the British, and probably the other European powers as well. It is a giant catch all in some respects. This test is even found at the heart of modern justice in the phrase "...beyond a reasonable doubt."

      Slashdot has reported on many cases where geeks have gotten into trouble when they have assumed that an act was permitted becuase there is no statement preventing said act. This is never the case. In all laws, and in all contracts there is always an implied element of what is reasonable.
      • >In all laws, and in all contracts there is always >an implied element of what is reasonable.

        And in all laws and contracts, if a geek wants to do it, it's unreasonable. Or to put it another way, reasonable behavior is different for geeks. I hope this person is truly judged by a jury of his peers, and not simply folks who consider anything unusual and intellectual to be 'unreasonable.'

        Lets put it this way; lets say you need a username and password to log into ebay. You find the price of certain items
      • Ok.

        If this is a civil matter, you *may* be right.

        If this is a CRIMINAL matter, you are very VERY wrong. Nothing to do with "...beyond a reason doubt." either.

        And, just for your information, the US (I assume you are in that jursdication), does allow acts if there is no statement preventing said act. And that's in your constitution.

        Not so in Canada, but I sure hope that AC has an agreement in place with the ex-employee. Without a mention of web site usage, they are pretty much fucked. Of course, this coul
  • by LostCluster (625375) * on Wednesday April 07, 2004 @06:11AM (#8790396)
    The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website

    It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.
    • by Willeh (768540) <rwillem@xs4all.nl> on Wednesday April 07, 2004 @06:14AM (#8790405)
      Or they just assumed he was a compulsive, obsessive control freak checking up on his flight every 5 seconds, and that was the reason they fired him in the first place.
    • by Tom (822) on Wednesday April 07, 2004 @06:50AM (#8790505) Homepage Journal
      You've never admin'ed a major site, have you?

      I have (16k hits/min during the business day). Something like 750 hits per day is well below the line noise threshold for any large site. Unless you look for patterns like that intentionally, you'll never notice.

      • A closed-access site that's offering not-for-publication data isn't a "major site". They eventually caught onto this, but it took them 10 months.
      • Unless you look for patterns like that intentionally...

        What, exactly, is your job again, sir? You mean to tell me that you would not know if a user-account suddenly joined the 99th percentile of heaviest users? Right up there with the usage by the test automatons? You wouldn't question this account's use in the slightest -- even given the wide gap between that account's usage and the accounts below it?

  • Turnabout... (Score:5, Interesting)

    by Anonymous Coward on Wednesday April 07, 2004 @06:13AM (#8790400)
    The funny thing is, Air Canada is one of only a few corporate entities world wide that probably can't afford to sustain litigation against a private citizen =)

    For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.
    • Is it so that Air Canada is actually a French-owned company?
    • I think Air Canada's CEO Robert Milton deserves the IgNobel of economics for taking a monopoly into bankruptcy, and from there likely into liquidation.
  • The moral is? (Score:2, Insightful)

    by Trailwalker (648636)
    The real problem is the lack of security awareness by Air Canada.

    The imformation could have been obtained by noting the place and departure times of all Air Canada's fleights. The ex-employee just made it easier.

    Too, it looks like a sinking ship in search of rats.
    • Re:The moral is? (Score:4, Informative)

      by Beeswarm (693535) on Wednesday April 07, 2004 @06:37AM (#8790469)
      Wrong. The information in question would have to be the flight loads. This would tell you how many people are booked on a specific flight and how many overbookings are allowed. To an employee, this information would be used to plan their travel by seeing which flights they would most likely to get on as a space-available rider. To a competitor, this information would be useful for determining which routes are more profitible because the seats are always full, and which routes already have too much seat capacity.
      • Re:The moral is? (Score:3, Interesting)

        by stecoop (759508)
        Shouldn't we as consumers clamor to have overbooking information too? I would think that if a flight is overbooked than I should see the statistics to determine if I want to buy the ticket.

        Also on the flight loads, if I really (read it twice) want that information, I could have a bunch of apprentices sit outside the loading gates and count the people that boarded having them record the plane and route. Viola - got your information legally.
        • Re:The moral is? (Score:2, Informative)

          by AlecC (512609)
          Shouldn't we as consumers clamor to have overbooking information too? I would think that if a flight is overbooked than I should see the statistics to determine if I want to buy the ticket.

          With budget airlins such as Ryanair and easyJet, you already do, in a way. Prices vary accirding to load. As the flight fills up, prices rise. As the flight date apporaches with lots of empty seats, the price falls. They are using the price carrot to get the max income from those who gotta go when they gotta go, but to
    • Sure, any dummy can make note of departure/arrival times, its probably even accessible from flight control. But how are they going to tell if a route is profitable. The only way to find out is by determining passenger load. This guy had access to that information.

      Of course, you could always try and scan the windows of the plane to see how many people are sitting in there but what if they all sit on the same side?

      My parents were coming to visit me on a new route by a competitor to Air Canada. At some
    • The moral may be the company should be more careful but the fact is that the ex-employee if he actually did this should be prosecuted for thieft. If a person leaves their door open it is not a licence for others to take his property. It may be stupid but stealing remains the action of the thief even if he does not break a lock to do it.

  • by ruprechtjones (545762) <ruprechtjones@NoSpam.gmail.com> on Wednesday April 07, 2004 @06:14AM (#8790406) Homepage
    "Using that confidential information, WestJet adjusted its own schedule, planned its expansion into new routes and adopted pricing strategies to force its larger competitor out of certain markets, Air Canada alleges."

    This is an insider-information case, and he should get what's coming to him. Pure and simple. He abused a quirk, he and WestJet really don't have a strong case here.

    • by danheskett (178529) <`danheskett' `at' `gmail.com'> on Wednesday April 07, 2004 @06:21AM (#8790423)
      But it's insider information he was explicitly allowed to have.

      Air Canada fired him. Laid off. Not any longer employed but continued to give him access to information they wanted to keep private. They have, however, no reasonable expectation that this information would be kept private unless of coure it was previously arranged in the severance or rider contract.

      Insider information isn't illegal perse. For example, if I went and physically counted the number of people getting on and off Air Canada planes at different times, and recorded that and sold it to WestJet things would be just fine. It's called market research.

      The real issue here isn't insider information. It seems to be in my opinion trade secret.
      • by ruprechtjones (545762) <ruprechtjones@NoSpam.gmail.com> on Wednesday April 07, 2004 @06:30AM (#8790450) Homepage
        The real issue here isn't insider information. It seems to be in my opinion trade secret.

        I'm sorry, you are correct. This is a trade secret issue. If Air Canada can cough up the paperwork saying he was only allowed to use his insider information to book his own tickets and absolutely nothing else, then it's an open-shut case. If not, then it'll be interesting to see how WestJet's lawyers defend this dude.

      • But it's insider information he was explicitly allowed to have.

        The issue wasn't that he had the information, but that he passed it on without Air Canada's authorization.

        -jcr

        • Without a contract or binding confidentiality clause you are free to redistribute any information you are given, what this guy did might not be ethical but absent a contract he is probably free both civily and criminally.
    • How do you know that he didn't just automate checking which flights had empty seats on them, so he could take advantage of his free tickets?

      Sure, it looks likely that he passed this information onto his new employer, but unless you are the defendant, how can you be so sure?

      The world needs more people who don't just jump to conclusions from reading one newspaper article.

  • by adamofgreyskull (640712) on Wednesday April 07, 2004 @06:15AM (#8790408)
    I guess it depends on what terms and conditions were specified when they gave him the login and password. If he had to sign an agreement when he got them..presumably they would still be in effect as long as the Login/Password was active.

    If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?

  • by beacher (82033) on Wednesday April 07, 2004 @06:24AM (#8790428) Homepage
    I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...

    My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?

    The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
    -B
    • by Anonymous Coward on Wednesday April 07, 2004 @06:41AM (#8790485)
      shutting it off is the weak minds way to resolve the issue.

      identify the bots and slowly poison their data instead. thats how a man should do it.
      whenever the bot is digging into your data, instead of real data feed it fake garbage data instead. poisoned garbage data should however only be slightly off not to make it obvious that it is garbage data. the point is : it should take long to realize that the data is posioned. When they realize the data is poisoned they should not be able to tell what data is real and what is poisoned so they will have to throw ALL data away.

      So that when the finally realize they have been poisoned it will be too late to do anything about it.
      • by beacher (82033) on Wednesday April 07, 2004 @06:57AM (#8790524) Homepage
        You do have a firewall, right? Absolutely

        So that when the finally realize they have been poisoned it will be too late to do anything about it.
        Not ethical and impractical. Just how many requests does it take before you start poisoning? 1000 per hour? We get that many hits from AOL and they come in through a gateway. If we were poisoning legitimate users data, that would be unacceptible.

        Why don't you go the ebay way and provide an API into your web site, then change the format slightly every month so breaking the web crawlers? After all, you may as well make money out of the data miners. We have *extensive* APIs into most of our systems. We're trying to get the bots to use and license the APIs. I have been talking with some of the developers to try to put some unicode inside (human readable but bot breaking).. They may be looking into this. We don't make any money off the data miners.
    • I'm currently working on a project like this as we speak. My company's website is getting nailed from a handful of IP addresses that do nothing but datamining. We've come to the conclusion that captchas would penalize joe user and we're going to move forward with some applications that throttle requests by IP. We don't keep private information outside of account specific data...?

      The best defense against dataminers is garbage data...

      Instead of giving the overzealous IP a limit as to how much they can down
  • The Funny Part (Score:5, Interesting)

    by Fortress (763470) on Wednesday April 07, 2004 @06:39AM (#8790473) Homepage
    For me, being Canadian, the funniest part of the whole article is how Air Canada's suit is looking for lost profits. Air Canada hasn't made a profit in decades, being a quasi-Crown corporation that can depend on the govt bailing them out when they run out of money.

    Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!
    • Re:The Funny Part (Score:5, Insightful)

      by Snosty (210966) on Wednesday April 07, 2004 @06:59AM (#8790534) Homepage
      On a slightly related note I was booking a flight from Vancouver to London last year and found the cheapest flight in the area was from Seattle to London via Vancouver on Air Canada. Booking the direct flight from Vancouver to London on Air Canada was nearly twice as expensive as taking a commuter flight from Seattle to Vancouver and then getting on that same direct flight to London.

      Why not skip the Seattle leg and get on in Vancouver? If you miss the first leg of a flight you are not allowed to make the second leg even when in this case there was an 8 hour layover in Vancouver. As Seattle is only 2.5 hours drive from Vancouver it is conceivable someone could miss the flight from Seattle to Vancouver and still quite easily make the flight from Vancouver to London by catching the train north.

      My point, anyways, was that I was pissed that an airline subsidized by Canadian taxpayers was offering flights to Americans at just over half the price they were offering it to Canadians.

      And before any of you idiots ask the price difference had nothing to do with the exchange rate. ;)
      • I don't know why this happens, but it's not just Air Canada.

        This past summer I was pricing flights from Wisconsin to Beijing. Normally it's cheapest to fly out of Chicago on United, as they have a daily direct flight, and everybody else makes you change planes and pay more. But Chicago is five hours by car away from where I was at the time, so I thought I'd see how much it was to fly out of Madison. I found a ticket that just flew from Madison to Chicago to Beijing (a highly ironic path because the flight
      • That's because pricing has nothing to do with cost. You price to what the market will bear while providing the best overall return. Only then do you compare that price to your cost. If the price is more than the cost, you do it. If not, you don't. Simple as that, and where most small business really screw up.

        We had to fly to new england from Dallas a few months ago. The price out of D/FW was about $1400 for a direct flight on AA, because lots of people want to fly out of Dallas. The price out of Aus
        • They would have had a problem if they had checked baggage, which would have gone on to Austin, where it would probably be destroyed, possibly by the bomb squad. Seriously, though, getting off the plane when you are not meant to is one thing airlines and governments get very pissed off about for security reasons - e.g. you get off at a stopover, leaving the bomb you placed in your baggage on the flight.
          • You can get around this by gate-checking your bags. Then it will get off the same stop as you. If you're really lucky, you'll be able to bring it as carry-on. (This only works if you have a relatively small amount of baggage, of course. The TSA won't let you bring a cartfull of suitcases through security.)

            But you can only do this if you're on a one-way ticket (or the return side of a round trip). If you deliberately miss one flight, the airline will cancel the rest of your itinerary and you'll be stranded.
      • When I lived in London, Ontario (YXU), it was often cheaper to fly to the real London (LHR) if we flew from YXU via Toronto (YYZ) rather than driving up to YYZ (90 minute drive) and taking the same plane from there. However, taking the same YXU to YYZ flight only was probably 2/3-4/3 the price (depending on how lucky you were) of whole YXU to LHR. How can a flight less than an hour cost the same or more than a 7 hour transatlantic flight?

        The price structures of the airlines are despicable and your case h
      • Re:The Funny Part (Score:3, Interesting)

        by bluGill (862)

        Thats not nearly as bad as the time My sister wanted to go Minneapolis-Washington D.C., and found the cheapest fare involved a plane change in Paris, France! She decided not to do that, but seriously considered spending a day in France both ways to see the sights, it would still save money. (IIRC she didn't have enough vacation time saved up)

      • It's not just London, I found the same results on a flight to Tokyo. Seattle->Vancouver->Tokyo was several hundred dollars cheaper than simply Vancouver->Tokyo, even though the flight numbers and departure times made it obvious this was the exact same airplane. The one problem was that I couldn't get a straight answer from anyone if I could get on in Vancouver if I was supposed to start in Seattle. I ended up going with a different airline (Cathay Pacific) which was cheaper than Air Canada from
    • by Anonymous Coward
      ... corporation that can depend on the govt bailing them out when they run out of money

      What's wrong with that? That's how they do it in the USA.

      • What's wrong with it is that in the US they seem to bail out ANY airline that is about to fail if it is of sufficient size, probably justified as "saving jobs."

        Up North here, only Air Canada seems to enjoy this security net, as other airlines have to succeed in the marketplace to survive. This is made worse by AC pricing some flights under cost to "compete," then when competition is eliminated they cry to the govt for loan guarantees or other forms of bailout. They enjoy this arrangement because as Air Can
      • And that makes it right how?
  • by Tedium Unleased (764661) on Wednesday April 07, 2004 @06:42AM (#8790488)
    How do we know they were 'cool' scripts. If he was such a great scripter, why was he let go.. or is simple web crawler enough to pass for 'cool' these days. Perhaps they were among some of the most inefficient scripts of all time, rivaling those found in the Hall of Terrible Programming.
  • You are entering an Official Air Canada System, which may be used only for authorized purposes. Unauthorized modification of any information stored on this system may result in criminal prosecution. The Government may monitor and audit the usage of this system, and all persons are hereby notified that use of this system constitutes consent to such monitoring and auditing.
  • OK, you want to find out which seats are going unused, and you know there is this website, do you use your **own** ID, or do you slip a backhander to some low paid IT staff to pass you somebody elses?

    And if you are the low paid IT worker whose code do you give? Somebody who has left the company but is still in the system.

    True, it's fishy that the ID belonged to somebody who went to a competitor, but how many major airline employees have moved to budget airline companies?

    I think Air Canada whould at le

  • by hwestiii (11787) on Wednesday April 07, 2004 @07:12AM (#8790572) Homepage
    The story digest may have this completely wrong. It says "What do you do when you let an employee go? You kill their password and ID, right?"

    The activity in question appears to have been facilitated by access granted as part of his severance package. As the article notes: "As part of his separation package when Lafond left Canadian Airlines in October 2000, he received two space-available airline tickets per year for five years. These tickets are booked through the private website."

    The article is actually a little hazy on the details here. Though it doesn't specifically say so, it seems to imply that the separation agreement gave the terminated employee direct access to this private web site through a user name and password. One can imagine other ways this could be done that didn't involve direct access to the employee, like through a dedicated fulfillment provider, for example.

    Either way, it sounds like it all amounts to some pretty dumb corporate behavior on the part of Air Canada. Either bad security practices if they didn't cut off the guy's access, or bad auditting if all that use went unnoticed for so long.
  • Not how - but what. (Score:5, Informative)

    by Saggi (462624) on Wednesday April 07, 2004 @07:23AM (#8790601) Homepage
    In Denmark where I live the rules are simple.

    You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.

    I would guess that Canada have some similar laws.

    So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.
    • You get sued if you misuse information you gained in your former employment.

      But the thing is - he's not using information he gained in his former employment.

      He didn't get the information while he was employed there - he got it after he left, from a website that is available to non-employees.

      forbid use of inside knowledge to harm other companies

      But it's not inside knowledge - if it was inside knowledge, then (by definition) it would be kept inside. The fact that Air Canada releases this information t
  • by spottedkangaroo (451692) * on Wednesday April 07, 2004 @08:13AM (#8790775) Homepage
    This guy is the reason the IT industry is full of non-compete contracts... what a 100% total asshole.
  • by Punk Walrus (582794) on Wednesday April 07, 2004 @08:26AM (#8790858) Journal
    Back when I did contract work, I always told my employers, via public e-mail, to change the system passwords, and then listen which systems I had access to. This way, if they ever got hacked, I could always say, "Well, I *told* you to change them..."

    I'm not sure anymore if that would help, but I know at least one company never changed their passwords because their vendors kept paging me, up to a year later, to "go into the system and make these changes." One of the vendor contacts and I had became good friends, and one day he begged, "We can't get in, and those bozos won't answer our pages." So I told them the last password I had, stating it probably wouldn't work. Nope, he got right in. Root access to a major gateway.

    And the password was easy too, like abc123 "That's the combo on my luggage" easy. Considering this gateway controlled 48 T1 lines to a large call center, I shudder to think how it could be used if phreaked.

    • +3,Interesting??

      Doing that gives you no legal leg to stand on whatsoever. It's like pointing a gun at someone's head, saying "duck!" then shooting them. The very act in itself is illegal, regardless of whether you gave prior warning or not, and regardless of how many meetings they had to discuss the vulnerability...

  • 'The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website'

    Let's see who's visiting our website last month...OMG!

    How could a commercial website be so clueless?
  • by bbq_jedi (647653) on Wednesday April 07, 2004 @08:53AM (#8791031)
    Quote from Wompom website:
    " If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."

    http://www.wompom.ca/news/wp2004apr07.htm#1

    Duh...
  • by fudgefactor7 (581449) on Wednesday April 07, 2004 @09:07AM (#8791137)
    Issue 1: Stupidity of the organization to not lock down permissions and/or kill the account/password.

    Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.

    Both need to harbor the blame for their part.
  • Grain of salt (Score:4, Insightful)

    by Ctrl-Z (28806) <tim AT timcoleman DOT com> on Wednesday April 07, 2004 @09:31AM (#8791369) Homepage Journal
    Just be careful. These are only allegations, and one should take any claims that Air Canada makes about WestJet with a couple of grains of salt. They have a huge WestJet complex. Not that I'm saying that this kind of thing couldn't happen.
  • law (Score:2, Interesting)

    by Ryntis (746177)
    im not up on canadian law.. but if its anything like the US they better hope he signed his non-competition agreement nice and clear :)
  • by sillypixie (696077) on Wednesday April 07, 2004 @10:51AM (#8792085) Journal
    Lawsuit aside, what about this guy's sense of professional ethics? Regardless of what TOS the AC site put up, or whether the guy could get away with it on a technicality, who wants that type of person working at their company?

    And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...

    It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.

    I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...

    Pixie
  • by Stavr0 (35032) on Wednesday April 07, 2004 @11:16AM (#8792368) Homepage Journal
    IBM and Air Canada Expand Relationship Carrier to help design airline-specific systems in bid to recoup its IT costs [computerworld.com]

    What does this say about outsourcing VS IT security ... and India [slashdot.org] too.

  • but logging into a website 32 times an hour for 10 months; is that really necessary to get the information Westjet is accused of using?

    I would think a couple of times an hour at most would be all that is required to gather flight loads. I can't see a whole lot of passengers waiting until 2 minutes before the flight to book their tickets (it may happen once or twice, but over the course of months those will be anomolies). So either Westjet was being stupid and killed the goose that laid the golden egg, or

  • by Doc Ruby (173196) on Wednesday April 07, 2004 @02:08PM (#8794563) Homepage Journal
    Air Canada is liable to those whose data (and lives) they protect, for leaving the door unlocked on a busy street. And the ex-employee is liable for trespassing, regardless of their posession of an old key, once disinvited from the premises, to say nothing of theft and privacy invasion. Corporation vs. ex-employee is a false choice: they're all guilty.

"Marriage is like a cage; one sees the birds outside desperate to get in, and those inside desperate to get out." -- Montaigne

Working...