31st Aug 2018
Air Canada’s app has suffered a data breach, resulting in the suspected loss of personal details for thousands of the airline’s customers.
The airline has warned that those who have entered their passport details into the app may have had the data stolen.
Air Canada, the largest airline operating in the country, detected unusual login activity between 22 and 24 August, and took the decision to lock its 1.7 million accounts. It believes that around 20,000 accounts have had data stolen from them, and has informed these customers via email.
The airline has stated that credit card details are not thought to be at risk, as these were encrypted, but profile data including names, email addresses and phone numbers could have been exposed, along with passport details – if these were provided – such as passport numbers, expiration dates, nationalities, country of residences and birth dates.
It is unclear how the breach occurred, but the firm’s relatively weak password system has been highlighted as an issue of concern. According to Canadian government guidelines on cyber security, passwords should “include at least one character that isn't a letter or number” and be a minimum length of eight characters.
Cyber-security specialist Amit Sethi, a security consultant at Synopsys, spotted that Air Canada's website still says that account passwords should contain between six and 10 characters and that, while letters and numbers are accepted, no other symbols are.
He commented: “Many users will choose short and easily guessable passwords. Moreover, users that want to use strong passwords cannot do so.”
Air Canada’s app now says that passwords should be at least 10 characters long and contain one symbol.
Customers of the airline who use the app are also now required to reset their login details.