Air Canada yesterday warned customers of "unusual login behavior" on its mobile app between 22 August and 24 August, during which time a portion of its account profiles may have been accessed in unauthorised fashion.
Of the airline's 1.7 million user profiles, roughly one percent or 20,000 profiles may potentially be affected by the breach. Customers who opened these accounts are being directly contacted via email, the company has stated in an online disclosure.
Exposed data consists of names, email addresses and telephone numbers, as well as optional information that some users added to their profiles, including Aeroplan loyalty program numbers, NEXUS frequent traveler program numbers, Known Traveler Numbers, gender, birth dates, nationalities, and passport information such as passport numbers, expiration dates, country of issuance and country of residence.
Credit card information saved to customers' profiles is safe, the company insists, because such data is encrypted and stored in compliance with payment card industry standards. Likewise, Aeroplane passwords are safe because they are not stored on the app.
Air Canada said that it "immediately took action to block" the unwanted access and also "implemented additional protocols to protect against further unauthorised attempts." The company also locked all mobile accounts, requiring customers to reset their passwords in order to use the app again.
Jake Moore, security specialist at ESET, said in emailed comments that Air Canada's decision to lock customers out of their accounts until they update their passwords is a "great way to encourage people to think about their passwords should they require access back into it. In fact, this is now an opportunity to think about using a password manager or at least a password generator to help customers with their general cyber-awareness and security."