Tricky one for me, this. I'm in something of a quandary so I thought I'd share and see if anyone else has views on it.

The e-revolution is upon us and many airlines are joining in, streamlining their recruitment by adopting the online application process. Many operators by and large have done a good job of it all - with appropriately big and shiny websites.

Sadly not all airlines have done quite as good a job. In particular, some don't employ any kind of encryption or security during the process. Over the last few days I've come across three such companies, the latest of which was Loganair.

They all asked for a variety of personal details including (but not limited to) current address, work history, NI/social security number, passport number, driving licence number, etc. And yet all of it over an unsecured connection. Am I the only one for whom this rings alarm bells?

Whether this is down to ignorance or the desire to keep the costs down I don't know, but as someone who has previously worked in the internet security field for a financial institution I'm reticent to apply to such companies... at least for now. Perhaps in the future the desire to find work will outweigh the desire to avoiding risking identity theft.

Maybe a CV to these companies would still be the best option, despite the fact that it includes the risk of 'not being in the system' and having the CV binned as a result. "The computer says no..." etc.

Anyone else noticed this, or have any thoughts on the matter?

Interesting point and it had crossed my mind. I have submitted info nevertheless, reasoning that since the website is not a fake, the company is well-established and I have reasonable protection on my PC, the risk is acceptably small.

Perhaps with your greater knowledge in this area, you can tell us if this approach is right?

Loganair's IT dept is probably running on a shoestring budget unlike your financial insititutions. Probably the same for most regional operators. Besides, what are the chances of Hack Hackenburg from Hacklesburyshire sniffing in on that website anyway? an SSL page is just one part of the security mechanism. It might make you feel good seeing that padlock icon but it would be pretty useless if the backend was sitting on a SQL Box with it's pants down. And this you wouldn't be able to see.

If I may chip in...
I think the biggest risk is the fact that all data is sent in "clear text". Therefore anyone who is able to intercept the "transmission" could, in theory, extract the contents.

Interesting points, thanks guys.

Superpilut, quite true. The budget for small companies is very likely to be small and the point you made is valid. However, there are some provisos to this, most notably the fact that they are liable under the Data Protection Act to store and use the information provided in a suitable manner. If their system design is such that it allows a breach then you're right, the horse has bolted and shutting the stable door will do no good but the fact remains that they would be liable and accountable for such a lapse in security.

They are not liable for us sending information over the internet in clear text form (Cesco is quite right with the point (s)he made on this) as we will have freely volunteered to do so.

The techology that allows the transaction to occur over the HTTPS protocol is not expensive, despite what some may think. SSL Certificates can be obtained by even the smallest airlines on the smallest budgets.

And as EGBK alluded to, the risk is small. Most ID theft on the internet is done by 'phishing' or by an unsecured client. However, consider house insurance. Does one decide not to insure one's property after thinking "what are the chances of a fire actually occuring and burning my house down?"

Flying, especially commercial flying, is largely about risk management. So while I may have concerns over this, many may not, and I accept that entirely.

Edited to add: as for Hack Hackenburg from Hacksville; you may be surprised just how much effort some dirty little folk will go to in finding websites exactly like this, where transactions can be conducted without security. Although, granted, it's normally larger retail sites that they seek to find potential exploits in.

I agree usage of HTTPS costs nothing. Most products will offer this capability for nothing but there may be that initial headache experienced by less skilled (cheaper) IT staff in setting it up and they may give up. I know I have in the past! :}

In addition to this, it's an industry favorite (for consultants) to start hiking prices as soon as someone mentions the need for "security", so companies may start cutting corners.

Maybe you could create an identity and let Loganair and the others know they are not really protecting our data?

Superpilot, quite so! In fact, you may have just discovered a way for some of us to keep the pennies rolling in while we search for that first flying job...

:8

Me and my (sometimes) big mouth! :{

Superpilot, quite so! In fact, you may have just discovered a way for some of us to keep the pennies rolling in while we search for that first flying job...
:8
:}
Cesco is quite right with the point (s)he made on this
he. :)

Interesting thread, especially those last few posts :} ;)

Why not offer your services to upgrade their website, then stick your own details in their database with a dirty great tick in the 'Invite to Interview' box?

Or if you're really cocky, in the 'Hold Pool' box and make yourself number one on the list.

Not that I'd condone such illegal behaviour, naturally. ;)

Hmmm, seems we can add Flybe to the list too.

Funny how they can manage to encrypt the connection when one tries to book a ticket, and yet they don't see the merit in doing so for people sending them passport numbers/NI numbers/previous addresses etc.

:hmm:

Such is life, I s'pose... the computer equivalent of the 'Big Sky Theory' :}