Air Canada Presses Password Reset


Air Canada has forced a password reset for users of its mobile app. This comes after
unauthorised access attempts which may have compromised personal data on as many as
20,000 customers. The airline claims this “unusual login behaviour” was discovered between
22nd and 24th August 2018.

“We immediately took action to block these attempts and implemented additional protocols
to block further repeated unauthorized attempts,” it added. “As an additional security
precaution, we have locked all Air Canada mobile app accounts to protect our customers’
data.”

The firm began to notify those affected, which represent 1 per cent of its total global user
profiles. The airline claim to be confident that the incident has not affected others.

Air Canada Access Risks

When attackers compromise accounts, it is possible for them to access profile data. This
includes names, email addresses and telephone numbers. However, the airline explained
that some customers may have included more sensitive information. This includes
Aeroplane number, passport information, NEXUS number and known traveller number. It
also includes information such as gender, nationality and date of birth.

Password Resets

All credit card information is encrypted in accordance with requirements under PCI DSS.
However, the airline urged customers to check their financial transactions on a regular basis.
“We are also requiring all Air Canada mobile App users to reset their passwords using
improved password guidelines to further enhance security measures,” it added. “A more
robust password provides an extra layer of protection.”

Questionable Security

It is not clear if users will be forced to create strong passwords or if the guidelines are
voluntary. Security experts questioned the matter of Air Canada still relying on password-
based authentication for customers. It has been well-demonstrated that multi-factor
authentication (MFA) represents best industry practice.

“It’s 2018. Why hasn’t the airline already mandated stronger passwords? Secondly, for
personal information as important as possibly passport data, why hasn’t the airline mandated
or at least offered multi-factor authentication for its users?” asked One Identity senior
director, Bill Evans.

“These are relatively simple measures that could and should have been deployed prior to the
challenges of the past two weeks.”

Dark Dangers

Bill Conner, CEO of SonicWall, commented further that some of the potentially stolen details
will be worth a fair bit on the dark web. This is due to the fact that changing this information
would be somewhat difficult.

“As threats continue to loom and intensify, total end-to-end security is key, including a
layered approach to security across wired, wireless, mobile and cloud networks, as well as
employee education and the securing IoT devices to prevent tampering and unauthorized
access,” he concluded.

It is yet to be confirmed whether the occurrence is a result of a breach of Air Canada’s
systems. It could be down to hackers cracking users accounts to be using previously
breached data. The relatively small number of accounts affected would suggest the latter.

Join us for IDM Europe

Join us this September for Europe’s leading conference on the discussion and full lifecycle
deployment of Identity and Access Management (IAM) systems across industry and
government. This must-attend event will bring together hundreds of IDM thought leaders and
innovators across Europe and further afield to discuss and shape the future of secure, risk-
driven IAM.