Risk Assessments/Management, Data Security, Breach, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Air Canada mobile app breach potentially impacts about 20,000 profiles

Air Canada yesterday warned customers of "unusual login behavior" on its mobile app between Aug. 22 and 24, during which time a portion of its account profiles may have been accessed in unauthorized fashion.

Of the airline's 1.7 million user profiles, roughly one percent or 20,000 profiles may potentially be affected by the breach. Customers who opened these accounts are being directly contacted via email, the company has stated in an online disclosure.

Exposed data consists of names, email addresses and telephone numbers, as well as optional information that some users added to their profiles, including Aeroplan loyalty program numbers, NEXUS frequent traveler program numbers, Known Traveler Numbers, gender, birth dates, nationalities, and passport information such as passport numbers, expiration dates, country of issuance and country of residence.

Credit card information saved to customers' profiles is safe, the company insists, because such data is encrypted and stored in compliance with payment card industry standards. Likewise, Aeroplan passwords are safe because they are not stored on the app.

Air Canada said that it "immediately took action to block" the unwanted access and also "implemented additional protocols to protect against further unauthorized attempts." The company also locked all mobile accounts, requiring customers to reset their passwords in order to use the app again.

Jake Moore, security specialist at ESET, said in emailed comments that Air Canada's decision to lock customers out of their accounts until they update their passwords is a "great way to encourage people to think about their passwords should they require access back into it. In fact, this is now an opportunity to think about using a password manager or at least a password generator to help customers with their general cyber awareness and security."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.