Air Canada this week notified customers of malicious activity around its mobile app and prompted users to reset their passwords, as a precautionary measure.
The company says it detected unusual login behavior with its mobile application between Aug. 22 and 24, 2018, and that the password reset was the result of that incident.
“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data,” the company said.
Out of the 1.7 million Air Canada mobile App user profiles, approximately 20,000 profiles might have been improperly accessed during the attack and the company says it is contacting potentially affected customers directly.
However, all of the company’s mobile users were asked to reset their passwords using improved password guidelines.
Air Canada says users’ credit card information is protected, but recommends keeping an eye on all transactions. The basic profile data stored on the mobile app account includes name, email address, and telephone number.
However, users may also add their Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance, and country of residence. The Aeroplan password is not stored in the app.
“Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” the company says.
As Mark Sangster, VP and industry security strategist at Canadian-based cyber security company eSentire, told SecurityWeek in an emailed statement, one major issue related to this incident is that many of Air Canada’s users are frequent travelers who spend in different countries and geographies, thus “making it harder for credit card providers to identify anomalous spending tied to their accounts.”
He also applauds Air Canada’s swift reaction to the incident, noting that “the window between the point of detection and point of response is critical.” The sooner users learn about a data breach, the quicker they can take action to secure sensitive information.
Matt Chiodi, VP of Cloud Security at RedLock, agrees. “It’s important to note that were it not for the swift actions of Air Can
ada’s security teams, it could have been exponentially worse since the 20,000 records that were accessed only represented 1% of their overall database,” Chiodi said in an emailed comment.
“As the frequency and voracity of cyberattacks continue to increase, privacy and protection laws, such as the ones introduced in Europe (General Data Protection Rules), and here in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA), become more critical. These laws need to tighten, ensuring companies have well understood rules and triggers for privacy and data breach notification, timelines for response, and fully understand their obligations when it comes to protecting the information of its employees and customers. Until then, it’s open season on our data and hard-earned wealth,” Sangster concluded.