Air Canada has been forced to issue a password reset for all 1.7 million users of its Android, iOS and BlackBerry mobile app after up to 20,000 accounts were compromised by hackers last week.
According to Tuesday’s alert, the company detected “unusual login behaviour,” between August 22 and 24, after which it blocked further access.
For the 20,000 people believed to be directly affected by the breach, two types of data were put at risk:
- Name, email address, telephone number, and Air Canada Aeroplan account number.
- Potentially also passport number, NEXUS number (a system allowing rapid crossing of some borders), Known Traveler number, gender, birth date, nationality, passport expiration date, country of issuance, and country of residence.
Credit card numbers were encrypted and were not compromised. Passwords associated with the company’s Aeroplan points program were also not at risk, but users should still monitor transactions Air Canada said.
What next?
The company started contacting affected customers by email on Wednesday, but all 1.7 million users will need to reset their account passwords. This might take time:
Due to the large volume, some customers may experience a delay in the process to change their passwords. We ask customers to be patient and assure them their data is protected and not accessible to unauthorized users.
Resets will happen automatically when a customer next uses the mobile app, or can be initiated via the Air Canada portal.
Passport data
Given the size of the user base it could have been a lot worse than the 20,000 accounts Air Canada currently thinks have been affected, but that’s where the positives dry up.
One of the convenient features of the Air Canada app is its ability to hold passport data, a feature that allows passengers to get faster transit through customs in countries such as the US.
Air Canada hasn’t said how many of the 20,000 breached accounts were storing this data but any that were are now in the hands of the hackers. This raises the chance of identity crime and, possibly, passport cloning.
Air Canada, of course, is downplaying that risk, stating:
According to the Government of Canada’s passport website, the risk of a third party getting a passport in your name is low if you still have your passport, proof of citizenship, and supporting identity documents.
Arguably, caution dictates that passengers should cancel their passports and buy new ones. If customers wish to go down this route, it’s hard to see how Air Canada won’t be expected to reimburse that cost.
Leave a Reply