Air Canada’s Aeroplan recently came under fire for a perceived lack of security, The Globe and Mail has reported.
In a ruling by the Office of the Privacy Commissioner, the frequent flyer program was criticized for not better protecting members’ account information.
Heather Black, assistant privacy commissioner, ruled that Aeroplan had not taken adequate security steps in a case involving a Vancouver businessman whose Aeroplan account was accessed, and changed, by his former boss.
“On the whole, there was a clear lack of diligence on the part of Air Canada with respect to its handling and protection of customer personal information,” Black said.
The case began when Danny Yehia received a duplicate copy of his previous Aeroplan statement. When he asked Aeroplan why, he was told that someone had requested the information and changed the e-mail address on his account.
Yehia was at the time being sued by his former boss, Joel Berman, who alleged that Yehia had taken company secrets when they left his business months earlier.
Part of the lawsuit centered around a trip Yehia took to Australia allegedly to meet with a rival company.
Berman admitted to the privacy officer that he obtained detailed information about Yehia’s account from Aeroplan’s computerized telephone information system and through an Air Canada agent.
“Air Canada states that he could do this because there was no personal identification number required,” Black said in her decision. She said Berman did not misrepresent himself or pretend to be Yehia. In fact, he provided the agent with his name in order to pay a processing fee to change the account.
The lawsuit was eventually dropped, but Yehia complained about Aeroplan’s actions to the privacy commissioner.
Michele Meier, an Aeroplan spokeswoman, told The Globe and Mail that the company has already acted on recommendations made during the investigation, “We’re in the process of evaluating whether any further measures will be taken or will be necessary,” she said.
Meier said Aeroplan regrets “this unfortunate incident,” and noted that it has restricted the information on the automated phone service. It has also updated privacy procedures and introduced more training for staff.
In her ruling, Black claimed that important personal information is still to readily available. “If someone with access to an account number calls the system, he or she [can access] the account holder’s name, the number of miles recently credited to the account, and the account balance.
“This information is not password protected. I remain concerned about the accessibility to the information that is still on the system.”