Up to 20,000 users of Air Canada’s mobile app may have had their personal details stolen following a recent breach.
According to a statement released by Air Canada on Tuesday, the company detected ‘unusual login behaviour’ on the app between August 22-24, which may have resulted in unauthorised access of up to 20,000 accounts.
The statement emphasised that this number only represents 1% of the app’s 1.7 million users and that users who may have been affected have been contacted directly. However, all users have had their passwords reset as a precaution.
Payment card information was encrypted, and so should not be considered at risk, the statement says. However, information which may have been accessed includes name, gender, date of birth, nationality, country of residence, Air Canada account number, email address, phone number, passport details (including number, country of issuance and expiration date), and NEXUS number.
The statement reassured customers that the likelihood of the leaked passport data being used by a third party to obtain a physical passport was low, but failed to mention the ways in which passport details could be fraudulently used by criminals without requiring a physical copy. It warned customers that ‘as a continuing best practice’ they should ‘always’ monitor credit card transactions and their credit rating.
Air Canada also advised users that “it is important to select a robust password as per our instructions”.
Following the breach, Air Canada’s password guidelines came under criticism for limiting passwords to 6-10 characters and banning the use of special characters. Restrictions such as these make passwords easy for hackers to guess or brute force, which some have suggested is how the breach occurred. Going forward, the app recommends that passwords be at least 10 characters long and contain one special character.
