Air Canada mobile app breach affects 20,000 people

Air Canada says the personal information for about 20,000 customers "may potentially have been improperly accessed" via a breach in its mobile app, so the company has locked down all 1.7 million accounts as a precaution until customers change their passwords.

The airline told customers in an email that it"recently detected unusual login behaviour with AirCanada's mobile App between Aug. 2224,2018."

The company estimates about one per cent of the 1.7 million people who use the app may have been compromised.

The app stores basic information such as a user's name, email addressand telephone number, all of which could have been improperly accessed.

Any credit card information on file would have been encryptedand as such protected,the company says.

But additional data such as a customer's Aeroplan number, passport number, Nexusnumber, known traveller number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence could have been accessed, if users had them saved in their profile on the app.

As long as app users still havea valid passportand other pieces of supporting documentation, the government says the risk of someone filing for and receiving a new passport in their names is low.

Air Canada saidit hasn't detected any improper log-in activity since last Friday, and it is in the process of contacting the 20,000 people directly affected.

In the meantime, the company has locked down all mobile app accountsand is instructing users to reset their passwords.

But many users on social mediareported having difficulties doing so, likely due to the volume of people attempting to log on. The company advisesanyone looking to get into theapp to keep trying.

Chester Wisniewski, principal research scientist at cybersecurityfirmSophossays any stolen information isn't likely to be overly problematic, but it does raise more concerning questions about practices behind the scenes.

"You never want someone to know your name, your birthday and your passport," he said.

He says he thinks its unlikely that the company was targeted by hackers, but rather was simply caught off-guard by an enterprising cybercriminal.

"I suspecthackers stumbled across a bug in the API," he says, referring to the acronym for the application programming interface which is how the app communicateswith Air Canada's servers on the back end.

"Idon't think they were targeting Air Canada or they were intent on stealing specific info, there's a lot of hackers who are just scrolling the internetlooking for doors that are ajar," he said.

"If they find a door that's open they start monkeying around."

He's concerned that the company has advised all customers even those who's information wasn't accessed to change their passwords.

Because it's limited to only eight characters, "their password policy wasrather antiquated which suggests they weren't doing it right to begin with," he said. "If you stored them correctly you wouldn't do that."