The Canadian Broadcasting Corporation (CBC) reported today that Air Canada admits the personal information for about 20,000 customers “may potentially have been improperly accessed” via a breach in its mobile app, so the company has locked down all 1.7 million accounts as a precaution until customers change their passwords.
A banner running at the top of Air Canada’s web page states, “Air Canada has asked Mobile+ app users to reset their accounts as a security precaution. Due to the large volume, some customers may experience a delay in the process to change their passwords. We ask customers to be patient and assure them their data is protected and not accessible to unauthorized users. We apologize for the delay. For more information.”
Cybersecurity expert Samuel Bakken, Senior Product Marketing Manager for OneSpan said today, “Thankfully the airline was able to detect the breach and keep the number of affected accounts to 20,000 – but tell that to the individuals whose privacy has been violated. Such an incident will affect victims’ — not to mention prospective customers’ — trust in Air Canada and may result in decreased usage of the mobile app or, in the end, customer defection. Banks and financial institutions know that maintaining trust in the mobile channel via strong authentication and security is absolutely imperative to customer acquisition and retention. The details of how the attackers gained access are scant at this point, but it sounds like strong, multifactor authentication integrated into the mobile app could potentially have prevented this unauthorized access. Many vendors offer easy to use mobile development toolkits that make it easy to natively integrate advanced biometric authentication into their apps.”
The CBC report quotes Chester Wisniewski, principal research scientist at cybersecurity firm Sophos as saying, “You never want someone to know your name, your birthday and your passport.” He says he thinks its unlikely that the company was targeted by hackers, but rather was simply caught off-guard by an enterprising cybercriminal.
The airline’s official notice to their mobile app users advises, “We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.
To reactivate your Air Canada mobile App account, please see the instructions emailed to you or follow the prompts the next time you log into your Air Canada mobile App.
Your credit card information is protected. As a continued best practice, we recommend you should always monitor your credit card transactions and contact your financial services provider immediately if you become aware of any unusual or unauthorized activities.
Your Aeroplan password is not stored on Air Canada’s mobile App. As a best practice, we recommend you monitor your Aeroplan transactions and contact Aeroplan immediately if you become aware of any unusual or unauthorized Aeroplan transactions.”
Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine