August 30, 2018updated 04 Jan 2019 4:38pm

Air Canada data breach puts customers’ passport details at risk

By Ellen Daniel

Air Canada has revealed that a security breach, affecting 20,000 customers, may have left passport information vulnerable to cyber attackers.

The largest airline in Canada reported the breach on 28 August, and urged users of its mobile app to reset their accounts as a security precaution following “unusual login behaviour”. It has also locked all Air Canada mobile app accounts to protect customer data.

Of the 1.7 million Air Canada mobile app users, the airline has reported that approximately 1%, or 20,000 profiles, may potentially have been improperly accessed.

As well as users’ names, email addresses and telephone numbers, Air Canada has confirmed that more sensitive information, including passport numbers, may be included in the breach. Credit card information, however, is encrypted and therefore not at risk.

According to the BBC, the Air Canada data breach may have been caused by a weak password system. Air Canada’s mobile app only requires passwords to be between six and ten characters, and does not allow symbols, making passwords easy to guess. The airline has said that it has since implemented “improved password guidelines” designed to “further enhance security measures”.

In a statement, the airline said:

“We detected unusual login behaviour with Air Canada’s mobile App between August 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorised attempts. As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data.”

Air Canada data breach is the latest in a series of breaches

The Air Canada data breach is just one in a long line of similar cyber-attacks. Just last week, telecom company T-Mobile confirmed that it had suffered a security breach on its US servers, exposing the personal data of up to two million customers.

Earlier this month, Butlins, a UK holiday camp, also admitted that the details of 34,000 customers, including addresses and telephone numbers, may have been stolen.

This follows the news that data breach complaints made to the Information Commissioner’s Office have increased by 160% since the General Data Protection Regulation (GDPR) came into force in May.

The sheer number and scale of recent breaches calls the security practices of the companies involved into question. Last year, a report from Identity Theft Resource Center and CyberScout revealed that data breaches in the US hit a record high in 2017, increasing by 29% in the first half of the year.

Furthermore, a survey by software and cyber-security company OGL found that 51% of businesses thought they wouldn’t be able to cope with a data breach.

Commenting on the T-Mobile data breach, Chief Security Strategy Officer, SecureData Charl van der Walt, believes that the problem of data breaches could take years to untangle:

“No doubt the causes of this breach will be scrutinised in minute detail to determine whether, how and to what extent T-Mobile is responsible for this loss, and regulatory fines, SEC penalties and civil law suits may all follow. But none of this is likely to change the fundamental fact that billions of these kinds of records are being leaked to the Internet at a growing rate with all the implications for privacy, digital security and person safety that that brings.

“Addressing the problem of personal data leaks will take years or decades even and will require political will and deep commitment from business, government, and the security industry.”

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,