Air Canada Resets Customer Passwords After Hackers Access Data

Air Canada is forcing all users of its Mobile+ app to change their passwords after hackers managed to access the profile information, including names, email addresses, birth dates and passport details of some customers.

The company detected unusual login behavior through its mobile application between Aug. 22 and 24 that might have resulted in unauthorized access to around 20,000 profiles, or approximately 1 percent of the app’s 1.7 million users.

“Starting Aug. 29, 2018, we have sent emails to customers whose accounts may have been improperly accessed,” the company said on its website. “If you did not receive an email from Air Canada specifically advising you that your Air Canada mobile App account may have been improperly accessed, we are confident your account was unaffected during this period. As an additional precaution however, we are contacting all Air Canada mobile App users requiring all users to re-set their passwords.”

In addition to basic information such as name, email address and telephone number, an Air Canada customer’s profile can also include Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence.

Credit card information can also be associated with profiles, but the company said this data is encrypted and stored in compliance with payment card industry standards.

Air Canada didn’t reveal how hackers managed to gain access to customer accounts but said that users will have to reset their password “using improved password guidelines to further enhance security measures.” This suggests that it might have been a brute-force password guessing attack or a credential stuffing attack, where hackers try to access accounts using passwords leaked in data breaches from other services.

Security researchers have warned in the past that airline websites are using weak password schemes and that the whole global travel booking system, where flight and passenger information is exchanged between companies, uses highly outdated security.

“The security of Air Canada’s systems is of paramount importance, and Air Canada takes security of its customers’ privacy and data very seriously,” the airline said. “Air Canada approaches security in a multi-layered manner, and we also work with leading cyber security and industry experts to detect irregularities and take action quickly. We continuously improve our practices as technology and security practices evolve.”