A serious data breach affecting Air Canada has been announced. The company’s mobile app has been affected, and as a result, its 1.7 million users are now forced to change their passwords. Despite this precaution, the number of affected customers is 20,000, as it appears that these accounts were accessed by hackers.
We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data, the company wrote in a statement.
It hasn’t been specified how the breach took place. It may be that the attackers used previously compromised login credentials sold on the Dark Web, or that the breach was preceded by a hack of Air Canada’s systems. The good news is that Aircanada.com’s accounts are not linked to the mobile app accounts, so they don’t need to be changed. Affected mobile app accounts’ passwords were invalidated, and emails were sent out to potentially affected customers.
Type of Information Compromised in the Breach
What’s in an Air Canada mobile app account? User’s name, email address, telephone number, and payment card number. However, some users may have chosen to add further details to their accounts, such as Aeroplan number, passport number, passport, expiration date, passport country of issuance, country of residence, NEXUS number, Known Traveler Number, gender, birthdate, and nationality. In other words, some accounts may have contained plenty of personal details.
According to the company, payment card numbers are intact as they are encrypted and stored in compliance with PCI standards. These numbers are safe, Air Canada reassures. However, all the other personal details the user may have chosen to disclose may be at risk.
Nonetheless, Air Canada points out that:
If you stored your passport information on your profile, the Government of Canada’s passport website at https://www.canada.ca/en/immigration-refugees-citizenship/services/canadian-passports/security/protect-fraud.htmlExternal advises that the risk of a third party obtaining a passport in your name is low if you still have your passport, proof of citizenship and supporting identity documents. Also, according to the website, the Government of Canada cannot issue a new passport to anyone based on only the information found in a passport.
What is unfortunate is that depending on the location of an affected customer, the stolen details may be used by scammers and fraudsters to set up all kinds of accounts. Using these stolen details, fraudsters may also be capable of obtaining other genuine documents such as driving license.
What to Do If You Are Affected?
Apparently, Air Canada has taken steps to lock down customers’ accounts. Such accounts can be unlocked by following the password reset instructions in the email that was sent by the company. Using a complex password is the general rule of thumb that also applies here. In addition:
We recommend customers regularly review their financial transactions, be aware of any changes in their credit rating, and contact their financial services provider immediately if they become aware of any unusual or unauthorized transactions.