Air Canada Sues Over Misuse Of Employee Password 215
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
What was the TOS? Was there even one? (Score:5, Insightful)
Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.
But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?
So, if there isn't a TOS on the page in question... things could get really interesting.
The moral is? (Score:2, Insightful)
The imformation could have been obtained by noting the place and departure times of all Air Canada's fleights. The ex-employee just made it easier.
Too, it looks like a sinking ship in search of rats.
Terms and conditions... (Score:4, Insightful)
If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?
Re:What was the TOS? Was there even one? (Score:5, Insightful)
OTOH, if he signed (and not just viewed or clicked on a button), a confidentiality agreement, then he's fucked.
Re:If you deal in garbage, you might attract flies (Score:5, Insightful)
Re:Rights? Clearly abused. (Score:3, Insightful)
Sure, it looks likely that he passed this information onto his new employer, but unless you are the defendant, how can you be so sure?
The world needs more people who don't just jump to conclusions from reading one newspaper article.
Re:Calling a spade a "spade" are we? (Score:1, Insightful)
Re:Dealing with this right now (Score:4, Insightful)
identify the bots and slowly poison their data instead. thats how a man should do it.
whenever the bot is digging into your data, instead of real data feed it fake garbage data instead. poisoned garbage data should however only be slightly off not to make it obvious that it is garbage data. the point is : it should take long to realize that the data is posioned. When they realize the data is poisoned they should not be able to tell what data is real and what is poisoned so they will have to throw ALL data away.
So that when the finally realize they have been poisoned it will be too late to do anything about it.
Re:The Funny Part (Score:5, Insightful)
Why not skip the Seattle leg and get on in Vancouver? If you miss the first leg of a flight you are not allowed to make the second leg even when in this case there was an 8 hour layover in Vancouver. As Seattle is only 2.5 hours drive from Vancouver it is conceivable someone could miss the flight from Seattle to Vancouver and still quite easily make the flight from Vancouver to London by catching the train north.
My point, anyways, was that I was pissed that an airline subsidized by Canadian taxpayers was offering flights to Americans at just over half the price they were offering it to Canadians.
And before any of you idiots ask the price difference had nothing to do with the exchange rate.
reason window whatever (Score:4, Insightful)
Re:Rights? Clearly abused. (Score:3, Insightful)
Which logic is that? Certainly not any that was posted here.
if you leave your front door unlocked, and I walk in and take your stuff, it's OK, because you allowed me access to it
No. More like: if I gave you a key to my front door, and told you to take whatever you wanted from my fridge, and you come in, clean out the fridge, and sell it to the market across the street, then it's OK, because I gave you access to it.
Which it would be (because I have given you permission.)
he was clearly in the wrong with his actions
Not necessarily. If he had an agreement that he wouldn't give/sell the information to anyone, then you may have a point, but if there was no such agreement, then he's quite clearly not in the wrong.
I don't think this qualifies as insider information, but more appropriately called company proprietary, or company confidential information
If it was proprietary, or confidential, then the company should have had measures in place to keep it that way. You can't give something to someone with no strings attached, and then cry foul when they use it for something you don't like.
Re:What was the TOS? Was there even one? (Score:3, Insightful)
And if the agreement was drafted without a clause saying he couldn't reveal information to a competitor, then the company's legal/HR team should be fired, not this bloke.
There are 2 issues here (Score:4, Insightful)
Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.
Both need to harbor the blame for their part.
Grain of salt (Score:4, Insightful)
Re:I'm not sure if I understand (Score:5, Insightful)
In this civil suit one of the arguments that will be put forward by Air Canada is whether the use of the information was "reasonable." Their argument will probably include examples of similar agrements all in a effort to convince a judge. It is unlikely that there is any document that states how many times a person can log into the site, or what they may use the information found on the site for. These statements are unecessary.
The "reasonable" test goes far beyond what has been written on paper. It appears all over civil and criminal law in every court that has ever been influenced by the British, and probably the other European powers as well. It is a giant catch all in some respects. This test is even found at the heart of modern justice in the phrase "...beyond a reasonable doubt."
Slashdot has reported on many cases where geeks have gotten into trouble when they have assumed that an act was permitted becuase there is no statement preventing said act. This is never the case. In all laws, and in all contracts there is always an implied element of what is reasonable.
Re:Thou shalt check thine logs... (Score:1, Insightful)
How about Professional Ethics? (Score:5, Insightful)
And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...
It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.
I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...
Pixie
FYI: Air Canada's IT was outsourced in 1994 (Score:4, Insightful)
What does this say about outsourcing VS IT security ... and India [slashdot.org] too.
Flies? More like lame ass script kiddies. (Score:3, Insightful)
If you are going to hack, HACK. Hook up directly to the database back end and write some SQL to extract all the data at once and have it spit out nice neat reports summarizing the data. Run it once a day at most.
Somehow I think this guy was showing off to his boss the first week like some newbie - probably said 'hey check this out' the first day when showing it to him without thinking through the long term ramifications
Re:What was the TOS? Was there even one? (Score:4, Insightful)
He used priviledged information in an unethical way that gave an unfair advantage to his new employer, which should be illegal if it isn't already. But he didn't steal. When you get fired by your employer do you try to prosecute them for "aggravated assault"? Stop stretching definitions, especially to the ludicrous extent that "theft" has been stretched. Look, I'm stealing your bandwidth right now! Ha ha ha!
*puts on his pirate hat*
Re:If you deal in garbage, you might attract flies (Score:2, Insightful)
Complete nonsense. Using a non-sequitur to evoke an emotional response may pass for debate in Canada, but not here in US, eh.
The company explicitly gave the ex-employee access to the site with the private data, apparently without establishing limits on how often the site could be accessed or (slightly more questionable) how the information could be used. The only limitation mentioned by the article was that only two tickets could be booked per year. Although the ex-employee's actions appear unethical, it is not even clear that he violated any usage agreement that came with the ID/password.
Re:If you deal in garbage, you might attract flies (Score:2, Insightful)
Re:If you deal in garbage, you might attract flies (Score:5, Insightful)
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.
Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?