Air Canada has issued a warning to users of its booking and checking-in app that those who had entered their passport details into the app may well have have had that data stolen through a cyberattack. This places those who entered their details at serious risk of identity theft and subsequent identity fraud. It is believed approximately 20,000 customers may have had their data stolen. Air Canada is the flag carrier and the largest airline of Canada by fleet size and passengers carried.
Profile data, such as names, email addresses, Aeroplan number, passport numbers, NEXUS numbers, Known Traveler numbers, genders, dates of birth, nationalities, passport expiration dates, passport countries of issuance and countries of residence can all be added to the app.
It is not yet clear how the data attack happened, CBC reports. The public became aware of the issue after Air Canada informed its customers via an email that it “recently detected unusual log‑in behavior with Air Canada’s mobile App between Aug. 22‑24, 2018.”
Air Canada has been criticized by industry commentators over its relatively weak security system, especially in relation to its password system. According to Amit Sethi, who is a security consultant at Synopsys, Air Canada only requires passwords to contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols. This means, Sethi states in an interview with the BBC over the issue: “Many users will choose short and easily guessable passwords. Moreover, users that want to use strong passwords cannot do so.”
This weak password controls place Air Canada outside of the Canadian government’s own cyber-security advice, all passwords should “include at least one character that isn’t a letter or number” and be a minimum length of eight characters.