Air Canada says mobile app breach may affect up to 20,000 customers
Aeroplan numbers, passport numbers, birth dates, nationalities and countries of residence could have been accessed.
MONTREAL—Some 20,000 Air Canada customers woke up Wednesday to learn their personal information may have been compromised after a breach in the airline’s mobile app that prompted a lockdown on all 1.7 million accounts until their passwords could be changed.
Air Canada said it detected unusual login activity between Aug. 22 and Aug. 24 and tried to block the hacking attempt, locking the app accounts as an additional measure, according to a notice on its website.
Mobile app users also received an email alerting them as to whether their account had been affected.
The app stores basic information including a user’s name, email and phone number.
Any credit card data is encrypted and would be protected from a breach, Air Canada said.
But Aeroplan numbers, passport numbers, birth dates, nationalities and countries of residence could have been accessed if users saved them in their account profile, the company said.
“Some data, such as names or emails, may have been visible if an unauthorized user was able to gain access to an account,” spokeswoman Isabelle Arthur said in an email.
The risk of a third party obtaining a passport in someone else’s name is low if the user still has their passport and supporting documents, according to the federal government.
Users can reactivate their account along stricter password guidelines by following instructions emailed to them or prompts when logging in.
Some users reported problems with the process on social media, likely due to the volume of customers trying to unlock their account.
Air Canada advised anyone looking to access the app to keep trying.
In March, the airline said some customers who booked hotels through its former travel partner Orbitz may have had their personal data stolen.
Nearly 2,300 bookings through Air Canada hotel options could have been involved in a data breach of hundreds of thousands of records that Orbitz reported earlier this year, Air Canada said.
The Expedia-owned travel website operator, whose platform Air Canada no longer uses, disclosed on March 20 that hackers may have accessed personal information from about 880,000 payment cards in 2016.