Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Hackers Hit Air Canada Mobile App

Air Canada this week notified customers of malicious activity around its mobile app and prompted users to reset their passwords, as a precautionary measure.

Air Canada this week notified customers of malicious activity around its mobile app and prompted users to reset their passwords, as a precautionary measure.

The company says it detected unusual login behavior with its mobile application between Aug. 22 and 24, 2018, and that the password reset was the result of that incident.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data,” the company said.

Out of the 1.7 million Air Canada mobile App user profiles, approximately 20,000 profiles might have been improperly accessed during the attack and the company says it is contacting potentially affected customers directly.

However, all of the company’s mobile users were asked to reset their passwords using improved password guidelines.

Air Canada says users’ credit card information is protected, but recommends keeping an eye on all transactions. The basic profile data stored on the mobile app account includes name, email address, and telephone number.

However, users may also add their Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance, and country of residence. The Aeroplan password is not stored in the app.

“Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” the company says.

As Mark Sangster, VP and industry security strategist at Canadian-based cyber security company eSentire, told SecurityWeek in an emailed statement, one major issue related to this incident is that many of Air Canada’s users are frequent travelers who spend in different countries and geographies, thus “making it harder for credit card providers to identify anomalous spending tied to their accounts.”

He also applauds Air Canada’s swift reaction to the incident, noting that “the window between the point of detection and point of response is critical.” The sooner users learn about a data breach, the quicker they can take action to secure sensitive information.

Matt Chiodi, VP of Cloud Security at RedLock, agrees. “It’s important to note that were it not for the swift actions of Air Can
ada’s security teams, it could have been exponentially worse since the 20,000 records that were accessed only represented 1% of their overall database,” Chiodi said in an emailed comment.

“As the frequency and voracity of cyberattacks continue to increase, privacy and protection laws, such as the ones introduced in Europe (General Data Protection Rules), and here in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA), become more critical. These laws need to tighten, ensuring companies have well understood rules and triggers for privacy and data breach notification, timelines for response, and fully understand their obligations when it comes to protecting the information of its employees and customers. Until then, it’s open season on our data and hard-earned wealth,” Sangster concluded.

Related: China Probes Suspected Customer Data Leak at Accor Partner

Related: Hackers Breach Cryptocurrency Platform Atlas Quantum

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.