Former employer changed account information of Air Canada frequent flyer member

PIPEDA Case Summary #2005-292

(Principles 4.3, 4.7, 4.7.1, 4.10.3, and 4.10.4 of Schedule 1)

Complaint

An individual complained that Air Canada, which at the time owned and operated Aeroplan, had disclosed his personal information, without his knowledge and consent. He claimed that his former employer was able to access his personal Aeroplan account and make changes to it.

It took approximately two years to bring this investigation to a close. Interviews were scheduled but could not take place because a company lawyer wanted to be present (the complainant had by this point launched a civil action) and she was not available at the scheduled time.

Shortly afterward, the Ontario Superior Court of Justice (Commercial List) issued an order staying all proceedings against Air Canada to allow it to obtain temporary protection while the company restructured. The company argued that no investigation could take place until the existing bankruptcy protection ended. The Office of the Privacy Commissioner of Canada sought clarification from Mr. Justice Farley of the Ontario Superior Court on this matter. While he agreed that the Stay Order applied to the Office, he also urged Air Canada to work with the Office to deal with the complaints. Air Canada maintained its position that this particular investigation could not proceed – despite the fact that our Office was able to conclude all of the other complaints against Air Canada before it. The company stated that it needed the lawyer’s participation and that she was unavailable because of restructuring.

The investigation finally recommenced in the fall of 2004, after the bankruptcy protection ended.

Note: During the investigation of this complaint, Aeroplan became a separate legal entity on January 1, 2003. Responsibility for the events described in this complaint, the organization’s response, and the delays the Office encountered rest with Air Canada, not Aeroplan.

Summary of Investigation

The complainant used to travel frequently when he worked for his former employer. The travel agency the employer used had his Aeroplan number on file. At the time of the incident in question, the complainant no longer worked for the company.

One day, the complainant received a duplicate copy of his last Aeroplan statement in the mail. As he had not ordered one, he contacted Air Canada to find out why it had sent him a duplicate statement. The agent informed him that one had been requested, and the cost of processing the additional statement had been applied against a credit card. The credit card number, however, did not match the complainant’s. The agent told him that someone had called the company a week earlier and asked for information about his travel. The same individual had also requested and paid for a copy of the complainant’s statement, and had changed the e-mail address on his Aeroplan account to that of the former employer.

The complainant then spoke to a lead agent, who gave him the contact number for Air Canada security. The lead agent changed the e-mail address back to the complainant’s address, and suggested that he place a password on his account to protect his information from unauthorized access.

The complainant spoke to security and explained that he suspected that a fraud may have been committed. He was told that he could file a written complaint with the security office, which he did. It was also suggested that the complainant contact the police, a step that he also took. At the conclusion of the police investigation, it was determined that the complainant’s former employer could not be charged with a criminal offence since he did not misrepresent himself or pretend to be the complainant. The complainant contacted Air Canada security again and relayed the police findings. According to the complainant, Air Canada took no further action.

The complainant and his former employer were involved in a dispute. The former employer, however, readily admitted that he obtained information about the complainant’s travel itinerary from Aeroplan’s computerized telephone information system. Air Canada stated that he could do this because there was no personal identification number required. He told us that he also called Air Canada, spoke to an agent, asked for a copy of the complainant’s statement, and gave his credit card number. He indicated that the company was supposed to e-mail him, but he never received the statements. His credit card account was charged, however. To the best of his recollection, he did not need a password for either the teleprompt system or when he spoke to the agent.

Our Office determined that at the time of this incident it was possible, through the automated telephone service, to obtain travel information for the last five travel transactions in Aeroplan of account holders. It would not be possible, however, to change an e-mail address or order copies of a statement without speaking to an agent. When speaking to an agent, the agent was supposed to ask the caller to confirm other information on the account file or, if the account was password protected, to ask for the password in order to authenticate the caller.

Air Canada stated that the complainant had a password on the account at the time. He could not recall whether he did or did not. However, he stated that if he had, it would have been his birth date – information that his former employer would have had access to. Our Office could not determine whether or not the complainant had a password at the time.

Currently, when a customer calls the automated system, he or she only has access to his or her name, the number of miles recently credited to the account and the account balance. This information is not password protected. The automated system indicates that due to privacy concerns, it "no longer provides the following information: origin and destination cities for flight credits."

We reviewed the computerized transaction records from the material time. The screen notes made by the lead confirmed that the e-mail address had been changed to that of the former employer. A fee of $10.70 was paid by credit card to cover the cost of an additional statement.

Our Office spoke to the agent who made the changes to the complainant’s account, but she could not recall the incident. When asked about privacy training, she could not remember receiving any specific training. Our investigation established that a caller can provide a credit card number for payment purposes under any name; however, it is incumbent upon the agent to ensure that he or she is in fact dealing with the Aeroplan account holder, and may ask questions if the credit card account is in a different name. When asked about making changes to account information if the name and number given for a credit card payment were different from that on file, she indicated that a "light would go on" but did not remember an occasion when this happened to her.

We determined that no name for the credit card holder was required to be placed on file at that time. The billing is against the card number. If there is a problem with a card being accepted, the charge goes to the account and the member cannot use any reward miles until the amount is paid. The complainant confirmed that the credit card number in question was not his, and his account was not charged back for failure to pay.

The lead supervisor was also interviewed, and she confirmed that she examined the complainant’s account. She noted that an entry on the complainant’s account showed that the e-mail had been changed to that of the former employer, who had wanted a copy of the statement to be mailed to him. Since Air Canada did not have the technology at the time to do so, it mailed the statement to the street address on file.

The lead supervisor stated that the changes made to the complainant’s account would not be considered normal procedure. She reported the incident to the security group, and spoke to the agent involved. The lead supervisor stated that she reminded the agent not to change the information of members if it is not the member who is calling. She also followed up to ensure that the complainant’s new password was on file and that the file could not be accessed without it.

The lead supervisor stated that she had privacy training and regularly received updates on privacy matters.

We also spoke to the security official at Air Canada who was assigned to the case. He confirmed that he suggested that the complainant contact the police as the complainant felt that a criminal offence had occurred. After the complainant informed him of the police findings, the security agent stated that he may have spoken to the lead supervisor, but he was never able to identify who spoke to the former employer and made the changes. He stated that he did, however, ask if there was a way to find out. As noted from our investigation, the lead supervisor was aware of the identity of the agent involved.

The security official confirmed that the complaint was not entered into the system. He stated that he thought no further action was taken, but that the account had been password protected. He indicated that he had received privacy training, which was updated periodically.

Findings

Issued April 6, 2005

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information; Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. Principle 4.10.3 states that organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures; and under Principle 4.10.4, an organization shall investigate all complaints.

The Assistant Privacy Commissioner began her comments by noting that she was disturbed by Air Canada’s lack of cooperation with respect to this complaint. In spite of Mr. Justice Farley’s urging, Air Canada refused to cooperate when the Office attempted to move forward with the investigation. As a result, there was an excessive delay in concluding this complaint, which the Assistant Commissioner considered entirely unacceptable.

That said, she continued with her deliberations as follows:

• It was clear that the former employer obtained information about the complainant’s Aeroplan account from Air Canada and even modified information on the account, and that he had done so without misrepresenting himself or pretending to be the complainant.
• At the time of the disclosure, the teleprompt system allowed anyone with the account number to access the last five transactions against the account. Although details about specific flights have since been removed from the system, the former employer was easily able to find this information as he had the complainant’s account number from the period during which the complainant worked for him. In the Assistant Commissioner’s view, given the large number of people who have access to Aeroplan members? numbers (employers, travel agents, individuals who work for companies that are part of the Aeroplan family), she did not believe that having account information readily available, without any protection on it, constituted an adequate safeguard.
• As for the agent who modified the account, it did not appear that she asked any information to confirm the caller’s identity. The former employer did provide his name when giving his credit card number, but it did not concern her that she was not speaking to the account holder. She did not even seem to be aware of the importance of maintaining the confidentiality of personal information.
• On the whole, the Assistant Commissioner found that there was a clear lack of diligence on the part of Air Canada with respect to its handling and protection of customer personal information. The company did not have adequate safeguards in place for its teleprompt system, and while it may have had some safeguards in place when a caller would speak to an agent, the agent in this case did not follow them. The agent in fact did not give the Office the impression that she was very concerned about the importance of protecting customer personal information.
• As a result of inadequate or improperly implemented safeguards, the complainant’s personal information was disclosed without his knowledge and consent. Thus, she found Air Canada in contravention of Principles 4.7, 4.7.1, and 4.3.
• As for Air Canada’s handling of the complaint, aside from advising the complainant to contact the police, the company did not direct him to its internal mechanisms for dealing with privacy complaint issues even though the company had a privacy officer and procedures in place. The police investigation would focus on possible criminal activity, but this would not preclude the company from conducting an internal investigation to determine what happened in this case.
• As for measures taken by the company as a result of this incident, the automated teleprompt system has since been changed. However, the most serious privacy breach occurred when the agent was speaking to the former employer. There is no evidence that anyone from the organization addressed this issue with the agent apart from the lead agent verbally reminding her not to change account information if it is not the account holder calling. In the Assistant Commissioner’s view, Air Canada did not in any way meet its requirements under Principles 4.10.3 and 4.10.4.

The Assistant Commissioner concluded that the complaint was well-founded.

Further Considerations

The Assistant Commissioner concluded her report by commenting on the changes that have been made to the automated system. If someone with access to an account number calls the system, he or she will now have access to the account holder’s name, the number of miles recently credited to the account, and the account balance. This information is not password protected. Although the flight information has been removed, the Assistant Commissioner remained concerned about the accessibility of the information that is still on the system. Many individuals have credit cards that are partnered with Aeroplan. Anyone with access to the Aeroplan account number could potentially know from the number of miles credited to the account how much money was charged against the account holder’s credit card in a month.

Aeroplan is now a separate legal entity. The Assistant Commissioner therefore wrote to Aeroplan recommending that it implement password controls on account holder information that can be accessed through its automated system.