Travel News Today

Why the national carrier's griping about WestJet is getting it nowhere?

You could call Mark Hill a successful entrepreneur, or, if you're Air Canada, you can call him a crook. If he also turns out to be an armchair computer programmer, we are dealing with a Renaissance man of untold talents.

According to documents filed in court and released publicly this week, Air Canada alleges WestJet employees exchanged dozens of e-mails containing confidential corporate information about its rivals, which also include Jetso and CanJet. Hill, a WestJet co-founder and former vice-president at the upstart airline, has been accused of using a special reservations Web site for Air Canada employees and retirees to source information about routes, schedules and other competitive data. The documents say Hill spent an hour and a half a night manually scraping the information off the site, then collaborating with others to come up with a computer program that automated the process.

When this lawsuit was launched two years ago, I used this space to discuss comments Air Canada chief executive Robert Milton made about a «rogue IT department» he believed was employed at WestJet, something that seemed improbable at the time. Such a duplicitous operation would be difficult to sustain amid a normal corporate structure, I argued. It now turns out that very little sophistication was needed to do that WestJet allegedly did. According to the same court documents, Hill was using an access code for the special reservations Web site that was provided by an employee who moved over to WestJet from Air Canada. As the security industry likes to say, why hack when you can hire?

Even if WestJet has been found guilty in court -- the suit was settled in May with WestJet issuing an apology, agreeing to pay Air Canada's legal fees and contribute $10-million to several charities -- the fallout from this case does not put Air Canada in a much better light. The issue may not have been so much WestJet's rogue IT department as Air Canada's remiss IT department. Although internal vulnerabilities are often estimated to account for half of all IT security breaches, we are not talking about the average mid-sized Canadian business. This is Air Canada, an enterprise large enough and savvy enough that it should have had the kind of business processes in place to protect secure sites once an employee leaves the company.

At the moment Air Canada is still portraying itself as the victim in this case, but at what point will the legal system start holding firms more accountable for leaving their digital front doors open? If this was a financial institution that lost financial information on its customers which was then used to take money from their accounts, where will the blame ultimately fall? Air Canada is fortunate in having a villain it can name, unlike the countless companies that practice IT negligence but place the onus on a faceless legion of so-called hackers.

At the very least, Air Canada should be prepared to explain the measures it took to lock down its portals once the alleged unauthorized access was discovered. It's one thing to call «gotcha» on a thief. The other valid follow-up question is, how'd they getcha?

by Shane Schick
sschick@itbusiness.ca