Air Canada Sues Over Misuse Of Employee Password 215
Anonymous Coward writes "What do you do when you let an employee go? You kill their password and ID, right? Air Canada didn't, and they're now in court because the employee went to a competitor, wrote some cool automated scripts using the ID/password, and grabbed some company data." Interesting story, because Air Canada authorized the employee to access this website and book tickets for himself as part of his severance, but they apparently provide a little more data on that site than what is available to the public.
If you deal in garbage, you might attract flies. (Score:5, Informative)
So there's where the dumb idea play comes in. If they had just let him have some free coach tickets through the customer side the operation then all they'd have to do is give him some limited-use coupon codes. Or they could have given him cash in his severance package. But no, they had had to go with these theoretically near-zero-cost cost tickets... and now look where they are.
Re:If you deal in garbage, you might attract flies (Score:5, Insightful)
Re:If you deal in garbage, you might attract flies (Score:3, Interesting)
Re:If you deal in garbage, you might attract flies (Score:5, Informative)
Had they simply upgraded him to a regular coach seat, there'd be no need to be giving him access to the employee-side site. This was a case of being cheap in the near term costing more in the long run...
Re:If you deal in garbage, you might attract flies (Score:5, Insightful)
Ahh, so if you give your neighbour a key to your garage so he can borrow your lawnmower, and he rifles through all your old bank records that happen to be stored out there, and sells the info to someone else, then he's just doing what any red blooded American can be expected to do (screw his neighbour), and it's your fault for trusting him... is that it? Now I see how it works with you foreigners.
Just kidding. Boy, you really got me with that "eh" joke. I didn't see that one coming... when did y'all b'come so quick-witted down thar anyway?
Re:If you deal in garbage, you might attract flies (Score:3, Informative)
What you say is true, but you completely missed the point. By giving space-available tickets to an ex-employee, they opened themselves up to this sort of stuff. He wasn't saying that SA tackets are a dumb idea, only that it's dumb to give them to someone who doesn't work for the company anymore.
Re:If you deal in garbage, you might attract flies (Score:2, Informative)
Yeah, someone who works for the company would never do anything nefarious with the information, would they? It just seems obvious that everyone with access to the site, employees or otherwise, should have limits placed on accesses. It's crazy to allow anyone hundreds of thousands of queries.
Re:If you deal in garbage, you might attract flies (Score:3, Interesting)
That's a bit shortsighted, isn't it? These tickets are a great idea all the way around. It's how they give access to the information that's at fault, not the concept of zero-cost tickets. That's like saying that because you killed someone with your car, all cars are a bad idea. The problem here is that Air Canada's website allowed an individual to do 600,000 lookups (whateve the number
Flies? More like lame ass script kiddies. (Score:3, Insightful)
If you are going to hack, HACK. Hook up directly to the database back end and write some SQL to extract all the data at once and have it spit out nice neat reports summarizing the data. Run it once a day at most.
Somehow I think this guy was showing off to his boss the first week like some newbie - probably said 'hey check this out' the first day when showing it
Re:If you deal in garbage, you might attract flies (Score:3, Interesting)
Sorry, wrong!
Many airlines when you call to wait-list yourself on a flight will do just that.... You don't get any details about how full the flight is.
If you want to get particular, this is called Non-Revenue Space-Available. I can list myself on a flight that operates 4 months from now that may only have 4 peop
Calling a spade a "spade" are we? (Score:5, Funny)
Was that a typo... or is The Globe and Mail public on it's low opinion of venture capital operations?
Re:Calling a spade a "spade" are we? (Score:5, Informative)
Re:Calling a spade a "spade" are we? (Score:5, Funny)
Re:Calling a spade a "spade" are we? (Score:4, Funny)
I would guess not much more than office equipment, furniture and an unread copy of "Litigation for Dummies".
Re:Calling a spade a "spade" are we? (Score:3, Interesting)
That would be the fitting end to all this lawsuit crap.
Re:Calling a spade a "spade" are we? (Score:5, Informative)
What was the TOS? Was there even one? (Score:5, Insightful)
Afterall, the site that was involved here was designed for an internal audience, one that'd not dream of feeding info to a competitor.
But they couldn't simply delete this guy's account because he was entitled to use that site for the next five years to book free air travel as part of his severance package. If he was told not to give the information to his new employer, that's one thing. But if he wasn't, then who can say that infomation given to an ex-employee without any contract still counts as a trade secret?
So, if there isn't a TOS on the page in question... things could get really interesting.
Re:What was the TOS? Was there even one? (Score:5, Insightful)
OTOH, if he signed (and not just viewed or clicked on a button), a confidentiality agreement, then he's fucked.
Re:What was the TOS? Was there even one? (Score:3, Interesting)
Personally I think even if he is "squeaky cleen by the law", I still think he is a sleaze bag. Even if
Re:What was the TOS? Was there even one? (Score:3, Insightful)
And if the agreement was drafted without a clause saying he couldn't reveal information to a competitor, then the company's legal/HR team should be fired, not this bloke.
Stole Free Stuff (Score:2)
Why am I not seeing responses from those who say "Information wants to be free"?
Re:What was the TOS? Was there even one? (Score:4, Insightful)
He used priviledged information in an unethical way that gave an unfair advantage to his new employer, which should be illegal if it isn't already. But he didn't steal. When you get fired by your employer do you try to prosecute them for "aggravated assault"? Stop stretching definitions, especially to the ludicrous extent that "theft" has been stretched. Look, I'm stealing your bandwidth right now! Ha ha ha!
*puts on his pirate hat*
Excellent newspaper (Score:5, Funny)
Finally a newspaper that calls a cat a cat!
It's all about size. (Score:3, Funny)
Right?
Re:It's all about size. (Score:2)
Re:It's all about size. (Score:2)
Re:It's all about size. (Score:5, Informative)
Actually, there is no harm in deleting the account. It is typical practice to delete all accounts 30-90 days after an employee leaves. My company maintains a database of past IDs and their owners for forensic & audit purposes. (That database is not used for authentication.) But we have no problem with re-issuing an ID to a new employee if the ID has not been used for a few years.
However, deleting or disabling the account would not have worked for Air Canada since they already agreed to give the ex-employee access to their space-available tickets website for the 5 years following his departure.
They could have instead analyzed website activity looking for anomolies, but that may not have worked either since they hadn't anticipated this type of misuse. A better solution would be to not give ex-employees access to any internal data at all. Instead, provide non-employees with only a phone number for a ticket agent who can book the flights for them. But then, that is more expensive. There is risk in being cheap.
Re:It's all about size. (Score:2)
This is a really good, and should be one of the first lessons taught, lesson in application design. Your authentication database should be used only for that. A related identity table should do the trick.
I'm not sure if I understand (Score:5, Informative)
Maybe Lanford signed somthing, but the article doesn't mention what violation Lanford committed, aside from 'using confidential information' that he obviously had access to.
How effectivly can a company regulate the way that information it discloses can be used?
IANAL. Maybe there's some sort of quid-pro-quo regarding Lanford's receipt of something tangible like tickets which would make a confidentiality agreement more binding than a simple clickthrough liscense, but does anyone know what it takes for one of those buggers to hold up in court?
From the article;
The airline alleges Lafond's identification number was used 243,630 times between May 15, 2003, and March 19, 2004, to access the website.
"The continuous and massive use of Lafond's employee ID number and PIN to access the employee website could not be done by one individual and far exceeds any possible potential use by Lafond," Air Canada said.
Well, obviously he did use the information. It's just a matter of what he used it for.
"Such massive access to the employee website through one employee ID number could only be accomplished through automated technology."
Re:I'm not sure if I understand (Score:3, Interesting)
Or in this case, what if his employer or some unknown party snooped his login and then proceeded to misuse it without his knowledge? Sounds like a reasonable defence...
Re:I'm not sure if I understand (Score:5, Insightful)
In this civil suit one of the arguments that will be put forward by Air Canada is whether the use of the information was "reasonable." Their argument will probably include examples of similar agrements all in a effort to convince a judge. It is unlikely that there is any document that states how many times a person can log into the site, or what they may use the information found on the site for. These statements are unecessary.
The "reasonable" test goes far beyond what has been written on paper. It appears all over civil and criminal law in every court that has ever been influenced by the British, and probably the other European powers as well. It is a giant catch all in some respects. This test is even found at the heart of modern justice in the phrase "...beyond a reasonable doubt."
Slashdot has reported on many cases where geeks have gotten into trouble when they have assumed that an act was permitted becuase there is no statement preventing said act. This is never the case. In all laws, and in all contracts there is always an implied element of what is reasonable.
Re:I'm not sure if I understand (Score:2)
And in all laws and contracts, if a geek wants to do it, it's unreasonable. Or to put it another way, reasonable behavior is different for geeks. I hope this person is truly judged by a jury of his peers, and not simply folks who consider anything unusual and intellectual to be 'unreasonable.'
Lets put it this way; lets say you need a username and password to log into ebay. You find the price of certain items
Re:I'm not sure if I understand (Score:3, Interesting)
If this is a civil matter, you *may* be right.
If this is a CRIMINAL matter, you are very VERY wrong. Nothing to do with "...beyond a reason doubt." either.
And, just for your information, the US (I assume you are in that jursdication), does allow acts if there is no statement preventing said act. And that's in your constitution.
Not so in Canada, but I sure hope that AC has an agreement in place with the ex-employee. Without a mention of web site usage, they are pretty much fucked. Of course, this coul
Re:I'm not sure if I understand (Score:3, Informative)
Same goes if Joe Smith user gets a virus on his computer that spamms the heck out of an ISP and the ISP gets on blacklists. Joe Smith user is ultimately responsible for the spam, and should be booted from the ISP (assuming the TOS allows it) for letting the spamer (knowingly or otherwise) use his account to se
Re:I'm not sure if I understand (Score:2)
But that's the key... the TOS needs to have a "thou shalt not spam" clause in order for spamming to be considered an abuse.
The airline would have had to see this datamining coming in order t
Re:I'm not sure if I understand (Score:2)
The airline would have had to see this datamining coming in order to post a "no datamining" sign anywhere on the site. If they didn't, then there's a vacuum where they should have been such a policy... and that could make all the difference.
A simple 'personal use only' clause would be enough.
Thou shalt check thine logs... (Score:5, Interesting)
It took more than 10 months to realize that this account was hitting the site roughly 750 times per day? Somebody didn't bother to check the logs regularly... this should have smelled funny much faster than that.
Re:Thou shalt check thine logs... (Score:4, Funny)
Re:Thou shalt check thine logs... (Score:5, Interesting)
I have (16k hits/min during the business day). Something like 750 hits per day is well below the line noise threshold for any large site. Unless you look for patterns like that intentionally, you'll never notice.
Re:Thou shalt check thine logs... (Score:2)
Re:Thou shalt check thine logs... (Score:2)
What, exactly, is your job again, sir? You mean to tell me that you would not know if a user-account suddenly joined the 99th percentile of heaviest users? Right up there with the usage by the test automatons? You wouldn't question this account's use in the slightest -- even given the wide gap between that account's usage and the accounts below it?
Re:Thou shalt check thine logs... (Score:5, Interesting)
Say 40k employees look at the site an average of once a month (I'd probably check it out once a week myself, so I think this is a low estimate).
Each time you log in you probably do five or so hits, for 200k hits a month, or over 6000hits/day.
750 extra hits a day should be noticed, but I doubt anybody cares enough about the traffic on an internal web site to find out why it's gone up by 12% or so. If it happened suddenly on our public site, I'd definately care, but if it happens on our Intranet it's just an interesting statistic.
Of course, somebody did notice eventually. But it doesn't surprize me that it took a long time to figure out.
Turnabout... (Score:5, Interesting)
For the benefit of Americans who probably neither know the circumstances (nor really care I'm sure), Air Canada is Canadian's only remaining national airline (i.e. services all parts of the country as opposed to just a few very profitable routes; and does so with legendary rudeness, but that is another story), and it is quite bankrupt. Its chances of survival at this point seem pretty remote.
Re:Turnabout... (Score:2)
IgNobel (Score:2)
Re:IgNobel (Score:3, Informative)
Non-Canadian airlines will fly in and out of Canadian cities, but there are a bunch of regulations preventing them from being true competition for Air Canada. For instance, Delta can't fly from Toronto to Vancouver to Tokyo. We have to fly from Toronto to Chicago to
The moral is? (Score:2, Insightful)
The imformation could have been obtained by noting the place and departure times of all Air Canada's fleights. The ex-employee just made it easier.
Too, it looks like a sinking ship in search of rats.
Re:The moral is? (Score:4, Informative)
Re:The moral is? (Score:3, Interesting)
Also on the flight loads, if I really (read it twice) want that information, I could have a bunch of apprentices sit outside the loading gates and count the people that boarded having them record the plane and route. Viola - got your information legally.
Re:The moral is? (Score:2, Informative)
With budget airlins such as Ryanair and easyJet, you already do, in a way. Prices vary accirding to load. As the flight fills up, prices rise. As the flight date apporaches with lots of empty seats, the price falls. They are using the price carrot to get the max income from those who gotta go when they gotta go, but to
What if they all sit on the same side of the plane (Score:2)
Of course, you could always try and scan the windows of the plane to see how many people are sitting in there but what if they all sit on the same side?
My parents were coming to visit me on a new route by a competitor to Air Canada. At some
Re:The moral is? (Score:2)
The moral may be the company should be more careful but the fact is that the ex-employee if he actually did this should be prosecuted for thieft. If a person leaves their door open it is not a licence for others to take his property. It may be stupid but stealing remains the action of the thief even if he does not break a lock to do it.
Rights? Clearly abused. (Score:3, Informative)
This is an insider-information case, and he should get what's coming to him. Pure and simple. He abused a quirk, he and WestJet really don't have a strong case here.
Comment removed (Score:5, Informative)
Re:Rights? Clearly abused. (Score:4, Interesting)
I'm sorry, you are correct. This is a trade secret issue. If Air Canada can cough up the paperwork saying he was only allowed to use his insider information to book his own tickets and absolutely nothing else, then it's an open-shut case. If not, then it'll be interesting to see how WestJet's lawyers defend this dude.
Re: (Score:2)
Re:Rights? Clearly abused. (Score:2)
Re:Rights? Clearly abused. (Score:3, Insightful)
Which logic is that? Certainly not any that was posted here.
if you leave your front door unlocked, and I walk in and take your stuff, it's OK, because you allowed me access to it
No. More like: if I gave you a key to my front door, and told you to take whatever you wanted from my fridge, and you come in, clean out the fridge, and sell it to the market across the street, then it's OK, because I gave you access to it.
Which it would be (because I have given you permission.)
he
Re:Rights? Clearly abused. (Score:2)
Re:Rights? Clearly abused. (Score:2)
Unreasonable for whom? To me, sure - to him, possibly not.
One could probably argue a smll claims settllement successfully on such a case.
yes, and one could probably defend a small claims case successfully on such a case.
It would entirely depend upon the judge, and the skill of the people presenting each side of the case.
Re:Rights? Clearly abused. (Score:3, Insightful)
Sure, it looks likely that he passed this information onto his new employer, but unless you are the defendant, how can you be so sure?
The world needs more people who don't just jump to conclusions from reading one newspaper article.
Terms and conditions... (Score:4, Insightful)
If the use of the login and password was specified in an employment contract though, would he still be bound to the Ts&Cs after he left?
Dealing with this right now (Score:5, Interesting)
My company is looking at it in a different way tho - We've figured out what click sequences are used and we're going to address the business need that these few bots have identified. If these 3rd party bots are selling atomic or aggregate data, well, why not cut them off at the source and sell the data for less?
The company failed in 2 areas - 1) keeping sensitive inside information from their outward facing internet site and 2) They should have rescinded the ID. I'm not sure about making their data available to the competition, but thats an inevitibility that they need to account for.
-B
Re:Dealing with this right now (Score:4, Insightful)
identify the bots and slowly poison their data instead. thats how a man should do it.
whenever the bot is digging into your data, instead of real data feed it fake garbage data instead. poisoned garbage data should however only be slightly off not to make it obvious that it is garbage data. the point is : it should take long to realize that the data is posioned. When they realize the data is poisoned they should not be able to tell what data is real and what is poisoned so they will have to throw ALL data away.
So that when the finally realize they have been poisoned it will be too late to do anything about it.
Re:Dealing with this right now (Score:5, Interesting)
So that when the finally realize they have been poisoned it will be too late to do anything about it.
Not ethical and impractical. Just how many requests does it take before you start poisoning? 1000 per hour? We get that many hits from AOL and they come in through a gateway. If we were poisoning legitimate users data, that would be unacceptible.
Why don't you go the ebay way and provide an API into your web site, then change the format slightly every month so breaking the web crawlers? After all, you may as well make money out of the data miners. We have *extensive* APIs into most of our systems. We're trying to get the bots to use and license the APIs. I have been talking with some of the developers to try to put some unicode inside (human readable but bot breaking).. They may be looking into this. We don't make any money off the data miners.
Re:Dealing with this right now (Score:2)
The best defense against dataminers is garbage data...
Instead of giving the overzealous IP a limit as to how much they can down
Re:Dealing with this right now (Score:2)
HTTP client IP addresses don't directly correspond to users. What happens when you block a proxy and hundreds of legitimate users can't get to your website?
The Funny Part (Score:5, Interesting)
Seems to me that Air Canada will have to pay WestJet money for "lost profits," since they spared them from losing money on those flights!
Re:The Funny Part (Score:5, Insightful)
Why not skip the Seattle leg and get on in Vancouver? If you miss the first leg of a flight you are not allowed to make the second leg even when in this case there was an 8 hour layover in Vancouver. As Seattle is only 2.5 hours drive from Vancouver it is conceivable someone could miss the flight from Seattle to Vancouver and still quite easily make the flight from Vancouver to London by catching the train north.
My point, anyways, was that I was pissed that an airline subsidized by Canadian taxpayers was offering flights to Americans at just over half the price they were offering it to Canadians.
And before any of you idiots ask the price difference had nothing to do with the exchange rate.
Re:The Funny Part (Score:2)
This past summer I was pricing flights from Wisconsin to Beijing. Normally it's cheapest to fly out of Chicago on United, as they have a daily direct flight, and everybody else makes you change planes and pay more. But Chicago is five hours by car away from where I was at the time, so I thought I'd see how much it was to fly out of Madison. I found a ticket that just flew from Madison to Chicago to Beijing (a highly ironic path because the flight
Re:The Funny Part (Score:3, Informative)
Re:The Funny Part (Score:2)
We had to fly to new england from Dallas a few months ago. The price out of D/FW was about $1400 for a direct flight on AA, because lots of people want to fly out of Dallas. The price out of Aus
Checked baggage? (Score:2)
Re:Checked baggage? (Score:2)
But you can only do this if you're on a one-way ticket (or the return side of a round trip). If you deliberately miss one flight, the airline will cancel the rest of your itinerary and you'll be stranded.
Re:The Funny Part (Score:2)
The price structures of the airlines are despicable and your case h
Re:The Funny Part (Score:3, Interesting)
Thats not nearly as bad as the time My sister wanted to go Minneapolis-Washington D.C., and found the cheapest fare involved a plane change in Paris, France! She decided not to do that, but seriously considered spending a day in France both ways to see the sights, it would still save money. (IIRC she didn't have enough vacation time saved up)
Re:The Funny Part (Score:2)
Re:Airline Pricing (Score:2)
And which of those is the more successful business? Based on your example I'd say it doesn't work, more or less.
Re:The Funny Part (Score:3, Funny)
What's wrong with that? That's how they do it in the USA.
Re:The Funny Part (Score:2)
Up North here, only Air Canada seems to enjoy this security net, as other airlines have to succeed in the marketplace to survive. This is made worse by AC pricing some flights under cost to "compete," then when competition is eliminated they cry to the govt for loan guarantees or other forms of bailout. They enjoy this arrangement because as Air Can
Re:The Funny Part (Score:2)
Terrible Journalism (Score:3, Funny)
Did'nt thay had some thing like this (Score:2, Interesting)
Was it him? (Score:2)
And if you are the low paid IT worker whose code do you give? Somebody who has left the company but is still in the system.
True, it's fishy that the ID belonged to somebody who went to a competitor, but how many major airline employees have moved to budget airline companies?
I think Air Canada whould at le
Everything not forbidden is permitted? (Score:3, Interesting)
The activity in question appears to have been facilitated by access granted as part of his severance package. As the article notes: "As part of his separation package when Lafond left Canadian Airlines in October 2000, he received two space-available airline tickets per year for five years. These tickets are booked through the private website."
The article is actually a little hazy on the details here. Though it doesn't specifically say so, it seems to imply that the separation agreement gave the terminated employee direct access to this private web site through a user name and password. One can imagine other ways this could be done that didn't involve direct access to the employee, like through a dedicated fulfillment provider, for example.
Either way, it sounds like it all amounts to some pretty dumb corporate behavior on the part of Air Canada. Either bad security practices if they didn't cut off the guy's access, or bad auditting if all that use went unnoticed for so long.
Not how - but what. (Score:5, Informative)
You don't get sued for accessing the website, with or without an illegal id. You get sued if you misuse information you gained in your former employment. It doesn't matter if it is in your contract, the commerce laws in Denmark forbid use of inside knowledge to harm other companies - as it clearly is happening in this case.
I would guess that Canada have some similar laws.
So how you obtain the information is irrelevant - even thou this case in interesting from a slash-dot point of view.
I don't think it's that cut-and-dried (Score:2)
But the thing is - he's not using information he gained in his former employment.
He didn't get the information while he was employed there - he got it after he left, from a website that is available to non-employees.
forbid use of inside knowledge to harm other companies
But it's not inside knowledge - if it was inside knowledge, then (by definition) it would be kept inside. The fact that Air Canada releases this information t
reason window whatever (Score:4, Insightful)
Always change passwords when employees leave (Score:4, Interesting)
I'm not sure anymore if that would help, but I know at least one company never changed their passwords because their vendors kept paging me, up to a year later, to "go into the system and make these changes." One of the vendor contacts and I had became good friends, and one day he begged, "We can't get in, and those bozos won't answer our pages." So I told them the last password I had, stating it probably wouldn't work. Nope, he got right in. Root access to a major gateway.
And the password was easy too, like abc123 "That's the combo on my luggage" easy. Considering this gateway controlled 48 T1 lines to a large call center, I shudder to think how it could be used if phreaked.
Re:Always change passwords when employees leave (Score:2)
Doing that gives you no legal leg to stand on whatsoever. It's like pointing a gun at someone's head, saying "duck!" then shooting them. The very act in itself is illegal, regardless of whether you gave prior warning or not, and regardless of how many meetings they had to discuss the vulnerability...
Uhhh..web traffic reports? (Score:2, Funny)
Let's see who's visiting our website last month...OMG!
How could a commercial website be so clueless?
Hello? Air Canada I.T. Department? (Score:5, Interesting)
" If AC really knew the truth they would realise that access had been made following the circulation of the PIN on airline chat lines earlier this year. WomPom even used it to verify its functionality."
http://www.wompom.ca/news/wp2004apr07.htm#1
Duh...
There are 2 issues here (Score:4, Insightful)
Issue 2: Duplicity from the former employee accessing data he knew full well that he should not have accessed.
Both need to harbor the blame for their part.
Grain of salt (Score:4, Insightful)
law (Score:2, Interesting)
How about Professional Ethics? (Score:5, Insightful)
And if I was his boss at WestJet, I'd be nervously trying to figure out what data this guy will 'volunteer' once he leaves his current employment...
It has been pointed out that the data he retrieved from WestJet, he retrieved after he left, and therefore didn't steal it - but the existence of the server, and the fact that he could access it - is information that this guy had a professional obligation to keep to himself.
I hope WestJet takes care of him, 'cause I can't imagine him working anywhere else now...
Pixie
FYI: Air Canada's IT was outsourced in 1994 (Score:4, Insightful)
What does this say about outsourcing VS IT security ... and India [slashdot.org] too.
I'm all for timeliness of data (Score:2, Interesting)
but logging into a website 32 times an hour for 10 months; is that really necessary to get the information Westjet is accused of using?
I would think a couple of times an hour at most would be all that is required to gather flight loads. I can't see a whole lot of passengers waiting until 2 minutes before the flight to book their tickets (it may happen once or twice, but over the course of months those will be anomolies). So either Westjet was being stupid and killed the goose that laid the golden egg, or
binary is for computers, not humans (Score:3, Interesting)
Re:binary is for computers, not humans (Score:2)