Monday, April 11, 2005

Aeroplan rapped over data security

Aeroplan is once again in the privacy hot-seat, according to this article from the Globe and Mail. This time, it is for inadequate security that allowed an Aeroplan member's boss to review and modify his account information. The article has some pretty strong words from Heather Black, the Assistant Privacy Commissioner of Canada:

The Globe and Mail: Aeroplan rapped over data security:


Monday, April 11, 2005 Page B1

The Office of the Privacy Commissioner has sharply criticized security at Air Canada's popular Aeroplan frequent-flyer program and told the airline to better protect members' account information.

"On the whole, there was a clear lack of diligence on the part of Air Canada with respect to its handling and protection of customer personal information," Heather Black, assistant privacy commissioner, said in a recent ruling involving a Vancouver businessman whose Aeroplan account was accessed, and changed, by his former boss.

While noting the airline has taken some steps to tighten security, she said key data is still too easily available. "If someone with access to an account number calls the system, he or she [is able to access] the account holder's name, the number of miles recently credited to the account, and the account balance."

"This information is not password protected. I remain concerned about the accessibility to the information that is still on the system."

Aeroplan has six million members and has reward program partnerships with retailers such as Future Shop Ltd., Imperial Oil Ltd.'s Esso gasoline chain and Bell Canada's phone services.

Michele Meier, an Aeroplan spokeswoman, said the company has already acted on recommendations made during the investigation, "We're in the process of evaluating whether any further measures will be taken or will be necessary," she said.

The case dates back to March 14, 2002, when the businessman, Danny Yehia, received a duplicate copy of his previous Aeroplan statement.

When he contacted Aeroplan for an explanation of why he was sent the additional statement, he was told that someone had requested the information and changed the e-mail address on his account.

At the time, Mr. Yehia was involved in a lawsuit with his former boss, Joel Berman, a Vancouver glass designer. Mr. Berman alleged Mr. Yehia and his partner had taken company secrets when they left his glass business months earlier. Part of the lawsuit centred around a trip Mr. Yehia took to Australia allegedly to meet a rival glass company.

Mr. Berman admitted to the privacy officer that he obtained detailed information about Mr. Yehia's account from Aeroplan's computerized telephone information system and through an Air Canada agent. "Air Canada states that he could do this because there was no personal identification number required," Ms. Black said in her decision.

She said Mr. Berman did not misrepresent himself or pretend to be Mr. Yehia. In fact, he provided the agent with his name in order to pay a processing fee to change the account.

The lawsuit was eventually dropped, but Mr. Yehia complained about Aeroplan's actions to the privacy commissioner.

In her decision, released last week, Ms. Black said she was "disturbed by Air Canada's lack of co-operation with respect to [Mr. Yehia's] complaint."

She also said the agent who changed the account had not been properly trained in privacy issues and "it did not appear to concern her that she was not speaking to the account holder." The agent "did not even seem to be aware of the importance of maintaining the confidentiality of personal information."

She added that, given the number of people who have access to Aeroplan members' numbers, such as employers, travel agents, and Aeroplan workers, "I do not believe that having account information readily available, without any protection on it, constituted an adequate safeguard."

Ms. Meier said Aeroplan regrets "this unfortunate incident," and noted that it has restricted the information on the automated phone service. It has also updated privacy procedures and introduced more training for staff.

But Ms. Black questioned whether the changes go far enough. She said the automated system still provides access to account holders' names, the number of miles recently credited to the account and the account balance.

"Many individuals have credit cards that are partnered with Aeroplan. Anyone with access to the Aeroplan account number could potentially know from the number of miles credited to the account how much money was charged against the account holders' credit card in a month."

She recommended password controls should be placed on all account information that is accessible though the automated system.

Mr. Yehia said Aeroplan should be doing much more to protect information.

"You'd think that after [the Sept. 11, 2001 terrorist attacks] security would be an important issue," he said.

When asked if he is still an Aeroplan member, he laughed and replied: "I am. Because where I travel, I don't really have much choice."

Presently, passwords are required to view and modify account information. Also, phone agents are requiring more proof of identity before assisting Aeroplan members.

No comments: