Air Canada Sues Over Misuse Of Employee Password

Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.

If you deal in garbage, you might attract flies.

[LostCluster]

To airlines, a space-available ticket is something that's being plucked out of the garbage. It represents what they allow most of their employees to do... fly for free when there's an empty seat that's going to be going to be going somewhere. Of course, the critical mistake was that in order for somebody to know if there's going to be space-availalbe, they have to publish on this site how full or not full the plane currently is.

So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.

I'm not sure if I understand

[PsiPsiStar]

It seems that the ex-employee used automated technology to access information that he was allowed to access. What makes this information confidential?

Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.

How effectivly can a company regulate the way that information it discloses can be used?

IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?

From the article;



The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.

"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.

Well, obviously he did use the information. It's just a matter of what he used it for.



"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."

Re:Calling a spade a "spade" are we?

[asreal]

Yes, they meant vultures. Air Canada is dying, and these funds are just waiting for them to keel over before they swoop down for the feed. Thus, vulture funds.

Rights? Clearly abused.

[ruprechtjones]

"Using that confidential information, WestJet adjusted its own schedule, planned its expansion into new routes and adopted pricing strategies to force its larger competitor out of certain markets, Air Canada alleges."

This is an insider-information case, and he should get what's coming to him. Pure and simple. He abused a quirk, he and WestJet really don't have a strong case here.

Re:Calling a spade a "spade" are we?

[qvanderm]

Not a typo. Vulture Funds [investopedia.com] specialize in 'distressed' investments. A money-burning operation like Air Canada certainly qualifies.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The moral is?

[Beeswarm]

Wrong. The information in question would have to be the flight loads. This would tell you how many people are booked on a specific flight and how many overbookings are allowed. To an employee, this information would be used to plan their travel by seeing which flights they would most likely to get on as a space-available rider. To a competitor, this information would be useful for determining which routes are more profitible because the seats are always full, and which routes already have too much seat capacity.

Not how - but what.

[Saggi]

In Denmark where I live the rules are simple.

You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.

I would guess that Canada have some similar laws.

So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.

Re:I'm not sure if I understand

[matth]

Tough bananas. As the account holder it is MY responsibility to make sure that the account is secure. Whatever is done on or with that account is my responsibility and I am ultimately responsible.

Same goes if Joe Smith user gets a virus on his computer that spamms the heck out of an ISP and the ISP gets on blacklists. Joe Smith user is ultimately responsible for the spam, and should be booted from the ISP (assuming the TOS allows it) for letting the spamer (knowingly or otherwise) use his account to send spam.

Re:If you deal in garbage, you might attract flies

[LostCluster]

They're a great deal for the employees, but revealing which routes have space-available seats shortly before takeoff is highly valuable data. That shouldn't be in trusted the hands of an ex-employee.

Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...

Re:It's all about size.

[CoderDevo]

In fact, you shouldn't. You should just have a bit-flag on the accounts saying that they're not allowed to log in... you never know when somebody's coming back to the company and would need their account reactivated.

Actually, there is no harm in deleting the account. It is typical practice to delete all accounts 30-90 days after an employee leaves. My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.) But we have no problem with re-issuing an ID to a new employee if the ID has not been used for a few years.

However, deleting or disabling the account would not have worked for Air Canada since they already agreed to give the ex-employee access to their space-available tickets website for the 5 years following his departure.

They could have instead analyzed website activity looking for anomolies, but that may not have worked either since they hadn't anticipated this type of misuse. A better solution would be to not give ex-employees access to any internal data at all. Instead, provide non-employees with only a phone number for a ticket agent who can book the flights for them. But then, that is more expensive. There is risk in being cheap.

Re:The Funny Part

[swv3752]

Airporrt fees come into play. Different Airports charge different amounts. Checkin fees are higher than transfer fees.

Re:The moral is?

[AlecC]

Shouldn't we as consumers clamor to have overbooking information too? I would think that if a flight is overbooked than I should see the statistics to determine if I want to buy the ticket.

With budget airlins such as Ryanair and easyJet, you already do, in a way. Prices vary accirding to load. As the flight fills up, prices rise. As the flight date apporaches with lots of empty seats, the price falls. They are using the price carrot to get the max income from those who gotta go when they gotta go, but to suck in price sensitive travellers to fill otherwise empty seats.

Also on the flight loads, if I really (read it twice) want that information, I could have a bunch of apprentices sit outside the loading gates and count the people that boarded having them record the plane and route. Viola - got your information legally.

At a mind-boggling price. It's not the information on one flight from one airport that is valuable, it is lots of flights from lots of airports. Employing apprentices may be cheap - but not that cheap, compared to sucking it out of a database.

Re:If you deal in garbage, you might attract flies

[Dun Malg]

Hey, space-available tickets are a very good deal for the airlines and the employees who work for them.

What you say is true, but you completely missed the point. By giving space-available tickets to an ex-employee, they opened themselves up to this sort of stuff. He wasn't saying that SA tackets are a dumb idea, only that it's dumb to give them to someone who doesn't work for the company anymore.

Re:Job opportunity?

[Anonymous Coward]

Um, Air Canada is bankrupt - a few days ago a news report said they were losing CDN$5 million/day.

While they'll probably survive in some fashion, it doesn't seem like a stable place to work.

Re:If you deal in garbage, you might attract flies

[tuxlove]

it's dumb to give them to someone who doesn't work for the company anymore.

Yeah, someone who works for the company would never do anything nefarious with the information, would they? It just seems obvious that everyone with access to the site, employees or otherwise, should have limits placed on accesses. It's crazy to allow anyone hundreds of thousands of queries.

Re:IgNobel

[Zardoz44]

Actually, there is CanJet, WestJet, Air Transat, JetsGo, Zoom, and possibly a few others. The difference is that Air Canada is really the only internation business airline in Canada, the others being national business or vacation-charter type.

Non-Canadian airlines will fly in and out of Canadian cities, but there are a bunch of regulations preventing them from being true competition for Air Canada. For instance, Delta can't fly from Toronto to Vancouver to Tokyo. We have to fly from Toronto to Chicago to Tokyo instead. Something like that, as I understand it.

In any case, some of the smaller airlines (like Air Transat) have been constantly growing and adding new routes, but it takes a while.

Typical

[WookieinHeat]

This is just more typical Air Canada stuff. They are constantly plagued by these problems, mainly due to bad management. Every few years Air Canada goes through some huge financial crisis and all of a sudden becomes public property forcing the tax payers to foot the bill of their frivilous spending then as soon as they become profitable again (not usually for very long) the profits are directed into the pockets of the very people who put the company in that position in the first place and whos asses the tax payers just saved. So I personally would like to see Air Canada chopped to bits by one of those "vulture" companies so they stop costing me, and the rest of the Canadian tax payers, money.

Re:If you deal in garbage, you might attract flies

[Loozrboy]

I've actually had the opportunity to use these "space-available" tickets from time to time (my dad worked for an airline), and unfortunately "there are / aren't some free seats" isn't enough information to plan your trip... your seat basically isn't confirmed until all the paying customers are physically on the plane, so knowing whether there are 2 or 20 seats available the day before makes a big difference as to how likely you are to end up stuck at the airport.

That having been said, since I wasn't an actual employee I couldn't use the web site myself, I had to call and speak to a human operator. They'd tell me the actual number of open seats, but it seems unlikely WestJet would be able to do this 240,000 times without somebody catching on :P. (of course, then Air Canada would have their former employees suing them over interminable hold times, but that's a whole different problem.)