Air Canada warns that passport numbers may have been stolen in data breach

30 Aug 2018

Sign in Toronto airport. Image: JHVEPhoto/Shutterstock

Air Canada’s app has suffered a data breach, with thousands of customers affected.

Air Canada has revealed that personal data of 20,000 of its mobile app users may have been affected in a data breach. The airline said that it noticed “unusual login activity” between 22 and 24 August and “immediately took action”.

All 1.7m users of the app have been locked out until they update their passwords and have been emailed instructions on how to log in to the app and change the passwords.

Credit card data is encrypted

Air Canada is urging its customers to closely monitor their credit card activity and immediately contact their financial institutions if they notice anything out of the ordinary. It did note that credit card data is encrypted and therefore protected. Passport details may have been copied, including passport number, country of issuance, expiration date and birth date, among others.

The breach does not affect those users who have an account on Aircanada.com.

Some app users have reported a glitchy process when trying to change their passwords, as well as delays in certain cases. The airline said the issues are due to a large volume of customers trying to change their passwords at the same time.

It is not yet clear what caused the breach.

Apps can lead to new security issues

Setu Kulkarni, vice-president of corporate strategy at WhiteHat Security, told Siliconrepublic.com that while convenient, airline apps can introduce an array of new cybersecurity problems that were previously not an issue.

Kulkarni added: “While Air Canada’s B2B integration with the Aeroplan platform [a travel loyalty scheme for frequent fliers] is extremely useful for business productivity, it has certainly fallen short of meeting security needs of the business.

“When the integration occurred, a security vulnerability in Air Canada likely began propagating to Aeroplan through the (likely API-based) connectivity. The breach was through the mobile application, and it’s very possible that the back-end services used by the mobile app are the same ones the web app and other back-end systems use, which could imply a potentially wider-reaching breach.

“Comprehensive security testing and training along with continuous assessment of production assets could make such massive breaches a thing of the past.”

Samuel Bakken, senior product marketing manager at OneSpan, said that the absence of strong, multifactor authentication integrated into the app may have been the source of the issue.

He added that there are other authentication methods available to developers. “Many vendors offer easy-to-use mobile development toolkits that make it easy to natively integrate advanced biometric authentication into their apps.”

Sign in Toronto airport. Image: JHVEPhoto/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com