Air Canada Mobile App Breach Likely to Have Affected 20,000 Customers

Personal information for about 20,000 Air Canada customers might have been hacked, via a breach in the airline’s mobile app, as per reports. The airline reportedly told customers in an email about having detected “unusual login behaviour” with its mobile app on certain days last week.

CBC/Radio-Canada reports- “Air Canada says the personal information for about 20,000 customers “may potentially have been improperly accessed” via a breach in its mobile app, so the company has locked down all 1.7 million accounts as a precaution until customers change their passwords…The airline told customers in an email that it “recently detected unusual log‑in behaviour with Air Canada’s mobile App between Aug. 22-24, 2018.””

Following the detection of the unusual activity, Air Canada took action to prevent further attacks and also locked all Air Canada mobile app accounts immediately.

A notice, with an FAQ, published on the Air Canada official website states- “We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data. ”

As per the estimates by airlines, only 1 percent of its customers who use the app would have got affected. The potentially affected customers are being contacted. The Air Canada notice/FAQ says, “There are approximately 1.7 million Air Canada mobile App user profiles, and our investigation has determined that approximately one per cent or 20,000 profiles may potentially have been improperly accessed. We are contacting potentially affected customers directly.”

The Air Canada mobile app stores basic profile data, including the customers’ names, telephone numbers and email addresses. The breach could have led to these basic data being improperly accessed. In addition, if users have saved other data on their profile, like Aeroplan number, Passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date etc, these too could have been improperly accessed. But credit card data, saved in encrypted form, wouldn’t be impacted in any way.

Air Canada clarifies, in the FAQ- “Your credit card information is protected. Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards. As a best practice, customers should always monitor their transactions and credit rating carefully and contact their financial services provider immediately if they become aware of any unusual or unauthorized activities.”

Though the Air Canada mobile app might have a user’s Aeroplan number, it wouldn’t have the password, which is hence safe. Air Canada clarifies- “Your Aeroplan password is not stored in the Air Canada mobile App. As a precaution and as a best practice, we recommend customers always review all transactions regularly, and immediately report any irregular or unfamiliar transactions to Aeroplan immediately.”

The airlines also makes it clear that customers need not be worried about the safety of their passport. As long as they have their passports and the supporting document, the risk of third parties getting passports in their names is low. The information found in a passport won’t be enough for the Government to issue a new passport to anyone; the supporting documents are needed for that.

Air Canada reportedly hasn’t detected any unusual activity on its mobile apps after August 24. The airlines is contacting the 20,000 customers who might have been directly affected.

Customers have also been advised to reset their passwords when they get to access their accounts the next time, choosing a robust password. They have also been asked to monitor their financial transactions and Aeroplan transactions.

Some security experts, however, feel that the hackers were not targeting Air Canada and were not bent on stealing customers’ data. It might be that they just happened to spot a vulnerability and hence made a breach. Still, it’s always good for organizations and individuals to adopt security measures for data protection.