Customers using Air Canada’s mobile app asked to change passwords

Canada’s flagship airline, Air Canada, has warned its customers to reset their accounts after the company “detected unusual login behavior” on its mobile app that may have put sensitive information at risk.

The airline estimates that approximately 20,000 people could have been affected by the security breach, which occurred sometime between August 22-24 this year.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts,” Air Canada said in an announcement yesterday.

“As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data.”

All 1.7 million users of the mobile app were subsequently locked out of their accounts, but the airline has stated that the service is now fine to use.

“We contacted potentially affected customers directly by email starting Aug 29 to tell them if we determined their account may potentially have been accessed improperly,” the airline said, adding that all mobile app users should change their passwords for safety.

Data held with the Air Canada mobile app includes name, email address, and telephone number, all of which may have been accessed by malicious actors.

Passport information and frequent flier details may have also been compromised, if a user had added this to their app profile, the airline said.

Air Canada confirmed that no credit card information has been affected, as this data was encrypted. The airline has still urged customers to monitor their bank for any fraudulent transactions.

“Customers should also review Aeroplan transactions and contact Aeroplan immediately if they become aware of any unusual or unauthorized activities,” the company said.

“The security of Air Canada’s systems is of paramount importance, and Air Canada takes security of its customers’ privacy and data very seriously.”

Air Canada’s disclosure follows other major breaches on the aviation industry, which like most of the transport sector, is struggling to catch up to the digital world and the inherent risks that online connectedness can pose.

In March, The Daily Swig reported on the 880,000 holidaymakers who had their personal details, including credit card information, compromised following an attack on travel booking website, Orbitz.

The next month, Delta, a major US airline, launched a free credit monitoring service after its third-party online chat service experienced unauthorized access by cyber criminals in an incident that potentially affected all of its customers.

Writing in an email to The Daily Swig about this latest incident, Winston Bond, technical director at Arxan Technologies, said: “Our investigations lead us to believe that the security models for many airline apps haven’t evolved along with the user features.

“We would expect to see the strong level of app protection that gets applied to mobile wallet apps and commercial video playback apps, but airline apps are still not being obfuscated and they still store all the offline data in unencrypted databases.”

He added: “It isn’t hard for an attacker to reverse engineer these apps and work out how to extract all the user data.”

The Daily Swig has reached out to Air Canada for comment.