Air Canada Inc. is advising customers of their mobile app to reset their passwords after the company said it detected a potential data breach.

The airline said in a notice to customers Tuesday that it detected “unusual login behavior” between Aug. 22 and 24. “We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts,” it added.

Air Canada added that it believes the accounts of up to 20,000 profiles out of 1.7 million customers, “may potentially have been improperly accessed.”

Although not including credit card numbers, the data potentially stolen includes names, email addresses and telephone numbers. In some cases, the data also included Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence.

Air Canada did not provide information on the form of the data breach, but given that it involved “unusual login behavior,” it may have been a hacker attempting to use passwords stolen from other sites.

Setu Kulkarni, vice president of corporate strategy at WhiteHat Security Inc., said that although Air Canada’s integration with the Aeroplan platform, the platform used for the app, is “extremely useful for business productivity, it has certainly fallen short of meeting security needs of the business.”

Suggesting that it may have been an issue with the software used for the app, Kulkarni noted that when integration occurred between Air Canada’s existing systems and the Aeroplan platform, “a security vulnerability in Air Canada likely began propagating to Aeroplan” likely through the application programming interface-based connection.

“The breach was through the mobile application, and it’s very possible that the backend services used by the mobile app are the same ones the web app and other backend systems use — which could imply a potentially wider-reaching breach,” Kulkarni added.

Amit Sethi, senior principal consultant at Synopsys Inc., noted that one of the problems was Air Canada’s use of single, often weak passwords.

“There is simply no excuse for organizations to still be relying solely on passwords for authentication,” Sethi said. “In this case, the hack might have been related to the Air Canada mobile app. Everyone that uses a mobile app has a mobile device that they can use to enroll in several types of multifactor authentication.”

Moreover, he added, “there is no excuse to have a password policy like the one that Air Canada currently has: 6-10 characters with no special characters allowed.”

Photo: BriYYZ/Wikimedia Commons