Air Canada confirms mobile app data breach, passport numbers were accessed

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.

Air Canada has suffered a data breach and is forcing a password reset on all 1.7 million users of its mobile app, though apparently only 20,000 of the mobile app accounts were accessed by the attackers.

Air Canada data breach

How did it happen?

“We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018,” the company announced on Wednesday.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.”

They did not say – and perhaps they still don’t know – whether the breached accounts were accessed by attackers who attempted to reuse previously compromised login credentials found or sold on underground markets, or whether it was the result of a hack of the company’s systems.

In the meantime, they have invalidated the passwords on all mobile app accounts and sent out email alerts to potentially affected users.

(Aircanada.com accounts are not linked to Air Canada mobile app accounts, so those passwords don’t have to be changed.)

What type of information was compromised?

A Canada mobile app account contains the user’s name, email address, telephone number, payment card number, as well as additional information the user chose to add to his or her profile: Aeroplan number, passport number, passport expiration date, passport country of issuance and country of residence, NEXUS number, Known Traveler Number, gender, birthdate, and nationality.

The company assured users that the payment card numbers saved to the users’ profile are encrypted and stored in compliance with PCI standards, so they are safe.

But, as Seamus Bellamy sarcastically pointed out, “Oh good: my credit card is totally safe, but all the stuff that can be used to pretend to be me and get more of my money is at risk. What a relief.”

Air Canada says that, according to the Government of Canada’s passport website, the risk of a third party getting a passport in a person’s name is low if they still have their passport, proof of citizenship, and supporting identity documents, and that the Government of Canada “cannot issue a new passport to anyone based on only the information found in a passport.”

It’s likely that other countries have a similarly difficult-to-game process for issuing new passwords.

Unfortunately, depending on where you are in the world, the stolen information might be used by fraudsters to set up different types of accounts or obtain other genuine documents (e.g., driving license).

Action Fraud, the UK’s national fraud reporting centre, told the BBC that banks, insurance firms and mobile phone providers do not always require sight of the physical document in order to open accounts.

What to do?

“If you did not receive an email from Air Canada specifically advising you that your Air Canada mobile App account may have been improperly accessed, we are confident your account was unaffected during this period,” the company has stated.

Nevertheless, all Air Canada mobile app users will have to reset their passwords and have been advised to use a “robust” one (i.e., long, complex, unique).

Affected users are urged to regularly review their financial transactions and keep an eye on their credit rating.