UPDATED 22:29 EST / AUGUST 29 2018

INFRA

Air Canada data breach includes passport numbers, personal information

Air Canada Inc. is advising customers of their mobile app to reset their passwords after the company said it detected a potential data breach.

The airline said in a notice to customers Tuesday that it detected “unusual login behavior” between Aug. 22 and 24. “We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts,” it added.

Air Canada added that it believes the accounts of up to 20,000 profiles out of 1.7 million customers, “may potentially have been improperly accessed.”

Although not including credit card numbers, the data potentially stolen includes names, email addresses and telephone numbers. In some cases, the data also included Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence.

Air Canada did not provide information on the form of the data breach, but given that it involved “unusual login behavior,” it may have been a hacker attempting to use passwords stolen from other sites.

Setu Kulkarni, vice president of corporate strategy at WhiteHat Security Inc., said that although Air Canada’s integration with the Aeroplan platform, the platform used for the app, is “extremely useful for business productivity, it has certainly fallen short of meeting security needs of the business.”

Suggesting that it may have been an issue with the software used for the app, Kulkarni noted that when integration occurred between Air Canada’s existing systems and the Aeroplan platform, “a security vulnerability in Air Canada likely began propagating to Aeroplan” likely through the application programming interface-based connection.

“The breach was through the mobile application, and it’s very possible that the backend services used by the mobile app are the same ones the web app and other backend systems use — which could imply a potentially wider-reaching breach,” Kulkarni added.

Amit Sethi, senior principal consultant at Synopsys Inc., noted that one of the problems was Air Canada’s use of single, often weak passwords.

“There is simply no excuse for organizations to still be relying solely on passwords for authentication,” Sethi said. “In this case, the hack might have been related to the Air Canada mobile app. Everyone that uses a mobile app has a mobile device that they can use to enroll in several types of multifactor authentication.”

Moreover, he added, “there is no excuse to have a password policy like the one that Air Canada currently has: 6-10 characters with no special characters allowed.”

Photo: BriYYZ/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU