Although Air Canada says that a data breach discovered last week only affects 20,000 of its mobile app accounts – including passport details – it’s requiring all 1.7 million users to reset their passwords the next time they login.
Users will see a notice asking them to reset their password as a result of too many failed login attempts the next time they try to log in. In a notice, Air Canada notes that some customers may experience a delay when logging in due to the large volume of account resets.
“We detected unusual login behaviour with Air Canada’s mobile app between Aug. 22 – 24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data,” the notice states. The airline is also contacting potentially affected customers directly.
Air Canada says credit card information and Aeroplan loyalty program passwords were not affected by the breach. But Aeroplan account numbers, as well as name, email address, and phone number information may have been at risk. For app users storing passport information, Nexus information, Known Traveler number, as well as birthdate and nationality details, that data is potentially at risk.
“If you stored your passport information on your profile, the Government of Canada’s passport website advises that the risk of a third party obtaining a passport in your name is low if you still have your passport, proof of citizenship and supporting identity documents. Also, according to the website, the Government of Canada cannot issue a new passport to anyone based on only the information found in a passport,” the notice states.
More airlines are encouraging frequent fliers to use mobile apps as a convenient way to check-in to flights, but this poses more risks in the cyber realm, says Setu Kulkarni, vice-president of corporate strategy at Whitehat Security. In this case, the Air Canada app is falling short of meeting the business’ security needs. He points to the recent integration with the Aeroplan platform as a potential cause of the problem.
“When the integration occurred, a security vulnerability in Air Canada likely began propagating to Aeroplan through the (likely API-based) connectivity. The breach was through the mobile application, and it’s very possible that the backend services used by the mobile app are the same ones the web app and other backend systems use–which could imply a potentially wider-reaching breach,” he writes in an email.
Kulkarni recommends that companies test digital assets throughout their development lifecycle to avoid hacks. It’s why practices such as DevSecOps are being embraced by many businesses, as a way to manage continual security testing.
Another security consultant, Amit Sethi of security testing and design vendor Synopsys Inc., says Air Canada’s weak approach to authentication is to blame. Air Canada accepts passwords that are six to 10 characters long and does not allow special characters. Plus, there’s no option for two-factor authentication.
“There is simply no excuse for organizations to still be relying solely on passwords for authentication. In this case, the hack might have been related to the Air Canada mobile app. Everyone that uses a mobile app has a mobile device that they can use to enroll in several types of multi-factor authentication,” he writes in an email.
For affected consumers, it’s a good idea to change your Air Canada password right away. Make sure you don’t use that same password on other websites or apps.