Air Canada this week notified customers of malicious activity around its mobile app and prompted users to reset their passwords, as a precautionary measure.
The company says it detected unusual login behavior with its mobile application between Aug. 22 and 24, 2018, and that the password reset was the result of that incident.
“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data,” the company said.
Out of the 1.7 million Air Canada mobile App user profiles, approximately 20,000 profiles might have been improperly accessed during the attack and the company says it is contacting potentially affected customers directly.
However, all of the company’s mobile users were asked to reset their passwords using improved password guidelines.
Air Canada says users’ credit card information is protected, but recommends keeping an eye on all transactions. The basic profile data stored on the mobile app account includes name, email address, and telephone number.
However, users may also add their Aeroplan number, passport number, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance, and country of residence. The Aeroplan password is not stored in the app.
“Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” the company says.
“As the frequency and voracity of cyberattacks continue to increase, privacy and protection laws, such as the ones introduced in Europe (General Data Protection Rules), and here in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA), become more critical. These laws need to tighten, ensuring companies have well understood rules and triggers for privacy and data breach notification, timelines for response, and fully understand their obligations when it comes to protecting the information of its employees and customers. Until then, it’s open season on our data and hard-earned wealth,” Sangster concluded.