Air Canada Data Breach: Mobile App Users Locked Out

Air Canada Data Breach – Recently, Air Canada customers using its mobile app faced trouble logging back to the app as they were locked out. Reportedly, Air Canada suffered a data breach that affected around 20,000 mobile app users. After the incident, the airline locked out all 1.7 million customers as a security precaution.

Air Canada Data Breach

As announced by the airline, Air Canada suffered a data breach that affected 1% of its total mobile app users. This hints towards a count of 20,000 victims in this breach.

As mentioned in their notice, the airline noticed the breach earlier, which was quickly terminated by the officials. They observed some unusual activity going on with their mobile app, whereupon they suspected that the attackers might have accessed their database. They immediately began investigating the matter, after which, they concluded that the unknown attackers have accessed around 20,000 user profiles.

“We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts.”

After the investigations, the airline disclosed the breach on August 28, 2018, and also begun sending alerts to the affected 20,000 users. Moreover, out of an abundance of precaution, they also locked all of their customers’ profiles, requiring them to reactivate their accounts. They have sent detailed instructions about resetting the account passwords to all 1.7 million customers regardless of whether or not they were affected by the breach.

While the investigations revealed various details about the breach, it is yet to be disclosed that how the incident took place. At the moment, Air Canada has simply stated that they noticed an unauthorized access to their data. It is still not known whether the hackers directly attacked their system, or their website suffered a third-party data breach.

What Information Was Breached

While signing in the mobile apps, Air Canada users are required to enter various personal and financial details. These include names, contact numbers, email addresses, gender, birthdates, nationality, country of residence, passport numbers, passport expiry dates and the country of issuance, Aeroplan number, NEXUS number, the Known Traveler Number, and the credit card details.

As explained in their notice, the credit card details remained safe during the breach. However, other details were exposed.

Your credit card information is protected. Credit cards that are saved to your profile are encrypted and stored in compliance with security standards set by the payment card industry or PCI standards.”

What is safe from this breach? The data which is not stored on the app: aeroplan numbers and credit card details.

Air Canada Data Breach: Maintain Customers’ Data Security

The company reinforces that they deem customers’ security essentially important, for which, they take all possible security measures.

“Air Canada approaches security in a multi-layered manner […] We continuously improve our practices as technology and security practices evolve.”

Nonetheless, Setumadhav Kulkarni, Vice President, Product & Corporate Strategy at WhiteHat Security, expressed his concern to ZDNet while saying,

“The breach was through the mobile application, and it’s very possible that the backend services used by the mobile app are the same ones the web app and other backend systems use — which could imply a potentially wider-reaching breach.”

Air Canada urges all the customers to reset their accounts whilst setting up roust passwords. Moreover, they also recommend their customers to vigilantly monitor their bank accounts, credit transactions, and any transactions to Aeroplan to detect possible fraudulent activities.

How can you prevent Web App issues?

Swascan developed a unique tool to test Web Applications and Websites. Our Vulnerability Assessment service allows to identify, analyze and solve vulnerabilities in a very effective and efficient way.

You can have a free trial of the Vulnerability Assessment solution clicking on the button below:


Together with this service, Swascan offers a wide range of CyberSecurity services both integrated and not-integrated in the platform.

In order to check for the vulnerabilities of your network and source code, you have dedicate on-platform services as well.

EE Security Vulnerabilities In Their Online Portals
Sprint Vulnerability: the flaw in the Online Portal

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.