Air Canada Mobile App Breach Affects 20,000 People
1.7 million use the app, but only about 1% may have been compromised
Air Canada says the personal information for about 20,000 customers "may potentially have been improperly accessed" via a breach in its mobile app, so the company has locked down all 1.7 million accounts as a precaution until customers change their passwords.
The airline told customers in an email that it "recently detected unusual log‑in behaviour with Air Canada's mobile App between Aug. 22‑24, 2018."
The company estimates about one per cent of the 1.7 million people who use the app may have been compromised.
The app stores basic information such as a user's name, email address and telephone number, all of which could have been improperly accessed.
Any credit card information on file would have been encrypted and as such protected, the company says.
But additional data such as a customer's Aeroplan number, passport number, Nexus number, known traveller number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence could have been accessed, if users had them saved in their profile on the app.
As long as app users still have a valid passport and other pieces of supporting documentation, the government says the risk of someone filing for and receiving a new passport in their names is low.
Air Canada said it hasn't detected any improper log-in activity since last Friday, and it is in the process of contacting the 20,000 people directly affected.
In the meantime, the company has locked down all mobile app accounts and is instructing users to reset their passwords.
But many users on social media reported having difficulties doing so, likely due to the volume of people attempting to log on. The company advises anyone looking to get into the app to keep trying.
Chester Wisniewski, principal research scientist at cybersecurity firm Sophos says any stolen information isn't likely to be overly problematic, but it does raise more concerning questions about practices behind the scenes.
"You never want someone to know your name, your birthday and your passport," he said.
He says he thinks its unlikely that the company was targeted by hackers, but rather was simply caught off-guard by an enterprising cybercriminal.
"I suspect hackers stumbled across a bug in the API," he says, referring to the acronym for the application programming interface which is how the app communicates with Air Canada's servers on the back end.
"I don't think they were targeting Air Canada or they were intent on stealing specific info, there's a lot of hackers who are just scrolling the internet looking for doors that are ajar," he said.
"If they find a door that's open they start monkeying around."
He's concerned that the company has advised all customers — even those who's information wasn't accessed — to change their passwords.
Because it's limited to only eight characters, "their password policy was rather antiquated which suggests they weren't doing it right to begin with," he said. "If you stored them correctly you wouldn't do that."
Source: cbc

Latest Jobs
-
- IAM Consultant- One Identity Manager- UK Wide
- Manchester
- Upto £75,000 plus excellent benefits
-
One Identity IAM consultant is needed for this expanding UK based business, you will be responsible for: Developing and Supporting the Identity and Access management system based-on One Identity products Active Roles Server and Identity Manager. Further develop One Identity Manager’s integration with Service Now to provide automated JML processes and application access requests and fulfilment. Work across the business ensuring that the IAM solutions integrates into both the technology and business systems and processes, ideally automating as mush as possible. Work with the Governance Risk & Compliance (GRC) team to provide application access attestations and toxic combination alerting and reporting. Work on a mixture of IAM related projects to help to integrate new ideas and technology into the business to ensure the business stays fully compliant Assist in ensuring that all IAM capabilities are mapped to internal processes, policies, and standards. Develop metrics to measure and improve and also compile reports around the solution If you are interested in this opportunity we are looking for someone who is skilled within Identity Acess management, you will need to have worked with the One Identity product, ideally both Active Roles Server and Identity Manager Experience in managing and integrating with Microsoft systems (on-premise and cloud), such as Active Directory, Exchange, Office, SharePoint, etc.
-
- SailPoint Integration Consultant
- Unknown
- Upto £75000 plus benefits
-
SailPoint Integration Consultant. SailPoint Integration Consultant is needed for this expanding service business to help them with complex deployment with their FTSE focused customer base. They are looking for experienced SailPoint Integration Consultants who have: • Strong solution designing experience with in depth understanding of IAM concepts and thorough understanding of Sailpoint domain. • Thorough understanding of Identity and Access Governance concepts • Leading and creating Identity & Access Management (IAM) technical architecture • Secure by Design principles in Identify Access management, Privilege Access management • Familiar with cloud architectures, data management and source control from a security perspective. This is a great opportunity to join a business that is growing and looking for individuals who want to grow and develop and work on some of the most complex Sailpoint deployments.
-
- CyberArk Integration Consultant
- Greater London
- upto 75,000 plus benefits
-
CyberArk Integration Consultant. CyberArk Integration Consultant is needed for this expanding service business to help them with complex deployment with their FTSE focused customer base. They are looking for experienced CyberArk Integration Consultants who have: • Strong solution designing experience with in depth understanding of IAM concepts and thorough understanding of CyberArk domain. • Thorough understanding of Identity and Access Governance concepts • Leading and creating Identity & Access Management (IAM) technical architecture • Secure by Design principles in Identify Access management, Privilege Access management • Familiar with cloud architectures, data management and source control from a security perspective. This is a great opportunity to join a business that is growing and looking for individuals who want to grow and develop and work on some of the most complex CyberArk deployments.
-
- Penetration Tester, UK based. Ability to achieve SC clearance
- United Kingdom
- 55000
-
Experienced Penetration tester- UK based with the ability to achieve SC clearance. On-going training and development and paid certifications / renewals. Interested to hear from all areas of penetration testing, web app, infrastructure, mobile, etc. MUST have current hands on experience delivering penetration testing. Ideally from a consultancy background with experience working with multiple clients. OSCP / CREST / CHECK / Tigerscheme penetration testing experience / certifications desirable. Apply today for more details. All information kept in the strictest of confidence.