[BreachExchange] Air Canada mobile app breached, data of 20, 000 customers may have been accessed

Thu Aug 30 09:08:25 EDT 2018

https://www.theglobeandmail.com/business/article-air-canada-mobile-app-breached-data-of-20000-customers-may-have-been/

Some 20,000 Air Canada customers woke up Wednesday to learn their
personal information may have been compromised after a breach in the
airline’s mobile app, which prompted a lock-down on all 1.7 million
accounts until their passwords could be changed.

Air Canada said it detected unusual login activity between Aug. 22 and
Aug. 24 and tried to block the hacking attempt, locking the app
accounts as an additional measure, according to a notice on its
website.

Mobile app users received an email Wednesday morning alerting them as
to whether their account had been affected.

The app stores basic information including a user’s name, email and
phone number.

Any credit card data is encrypted and would be protected from a
breach, Air Canada said.

But Aeroplan numbers, passport numbers, birth dates, nationalities and
countries of residence could have been accessed if users saved them in
their account profile, the company said.

Air Canada declined to respond to questions, referring The Canadian
Press to its website.

The risk of a third party obtaining a passport in someone else’s name
is low if the user still has their passport and supporting documents,
according to the federal government.

Users can reactivate their account along stricter password guidelines
by following instructions emailed to them or prompts when logging in.

Some users reported problems with the process on social media, likely
due to the volume of customers trying to unlock their account.

Air Canada advised anyone looking to access the app to keep trying.

In March, the airline said some customers who booked hotels through
its former travel partner Orbitz may have had their personal data
stolen.

Nearly 2,300 bookings through Air Canada hotel options could have been
involved in a data breach of hundreds of thousands of records that
Orbitz reported earlier this year, Air Canada said.

The Expedia-owned travel website operator, whose platform Air Canada
no longer uses, disclosed on March 20 that hackers may have accessed
personal information from about 880,000 payment cards in 2016.