Air Canada Sues Over Misuse Of Employee Password 215
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
If you deal in garbage, you might attract flies. (Score:5, Informative)
So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.
I'm not sure if I understand (Score:5, Informative)
Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.
How effectivly can a company regulate the way that information it discloses can be used?
IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?
From the article;
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.
"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.
Well, obviously he did use the information. It's just a matter of what he used it for.
"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."
Re:Calling a spade a "spade" are we? (Score:5, Informative)
Rights? Clearly abused. (Score:3, Informative)
This is an insider-information case, and he should get what's coming to him. Pure and simple. He abused a quirk, he and WestJet really don't have a strong case here.
Re:Calling a spade a "spade" are we? (Score:5, Informative)
Comment removed (Score:5, Informative)
Re:The moral is? (Score:4, Informative)
Not how - but what. (Score:5, Informative)
You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.
I would guess that Canada have some similar laws.
So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.
Re:I'm not sure if I understand (Score:3, Informative)
Same goes if Joe Smith user gets a virus on his computer that spamms the heck out of an ISP and the ISP gets on blacklists. Joe Smith user is ultimately responsible for the spam, and should be booted from the ISP (assuming the TOS allows it) for letting the spamer (knowingly or otherwise) use his account to send spam.
Re:If you deal in garbage, you might attract flies (Score:5, Informative)
Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
Re:It's all about size. (Score:5, Informative)
Actually, there is no harm in deleting the account. It is typical practice to delete all accounts 30-90 days after an employee leaves. My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.) But we have no problem with re-issuing an ID to a new employee if the ID has not been used for a few years.
However, deleting or disabling the account would not have worked for Air Canada since they already agreed to give the ex-employee access to their space-available tickets website for the 5 years following his departure.
They could have instead analyzed website activity looking for anomolies, but that may not have worked either since they hadn't anticipated this type of misuse. A better solution would be to not give ex-employees access to any internal data at all. Instead, provide non-employees with only a phone number for a ticket agent who can book the flights for them. But then, that is more expensive. There is risk in being cheap.
Re:The Funny Part (Score:3, Informative)
Re:The moral is? (Score:2, Informative)
With budget airlins such as Ryanair and easyJet, you already do, in a way. Prices vary accirding to load. As the flight fills up, prices rise. As the flight date apporaches with lots of empty seats, the price falls. They are using the price carrot to get the max income from those who gotta go when they gotta go, but to suck in price sensitive travellers to fill otherwise empty seats.
Also on the flight loads, if I really (read it twice) want that information, I could have a bunch of apprentices sit outside the loading gates and count the people that boarded having them record the plane and route. Viola - got your information legally.
At a mind-boggling price. It's not the information on one flight from one airport that is valuable, it is lots of flights from lots of airports. Employing apprentices may be cheap - but not that cheap, compared to sucking it out of a database.
Re:If you deal in garbage, you might attract flies (Score:3, Informative)
What you say is true, but you completely missed the point. By giving space-available tickets to an ex-employee, they opened themselves up to this sort of stuff. He wasn't saying that SA tackets are a dumb idea, only that it's dumb to give them to someone who doesn't work for the company anymore.
Re:Job opportunity? (Score:1, Informative)
While they'll probably survive in some fashion, it doesn't seem like a stable place to work.
Re:If you deal in garbage, you might attract flies (Score:2, Informative)
Yeah, someone who works for the company would never do anything nefarious with the information, would they? It just seems obvious that everyone with access to the site, employees or otherwise, should have limits placed on accesses. It's crazy to allow anyone hundreds of thousands of queries.
Re:IgNobel (Score:3, Informative)
Non-Canadian airlines will fly in and out of Canadian cities, but there are a bunch of regulations preventing them from being true competition for Air Canada. For instance, Delta can't fly from Toronto to Vancouver to Tokyo. We have to fly from Toronto to Chicago to Tokyo instead. Something like that, as I understand it.
In any case, some of the smaller airlines (like Air Transat) have been constantly growing and adding new routes, but it takes a while.
Typical (Score:1, Informative)
Re:If you deal in garbage, you might attract flies (Score:2, Informative)
I've actually had the opportunity to use these "space-available" tickets from time to time (my dad worked for an airline), and unfortunately "there are / aren't some free seats" isn't enough information to plan your trip... your seat basically isn't confirmed until all the paying customers are physically on the plane, so knowing whether there are 2 or 20 seats available the day before makes a big difference as to how likely you are to end up stuck at the airport.
That having been said, since I wasn't an actual employee I couldn't use the web site myself, I had to call and speak to a human operator. They'd tell me the actual number of open seats, but it seems unlikely WestJet would be able to do this 240,000 times without somebody catching on :P. (of course, then Air Canada would have their former employees suing them over interminable hold times, but that's a whole different problem.)