Slashdot Mirror

← Back to Stories (view on slashdot.org)

Air Canada Mobile App Breach Affects 20,000 People (www.cbc.ca)

Posted by BeauHD on from the locked-down dept.

Air Canada told customers in an email today that the personal information for about 20,000 customers "may potentially have been improperly accessed" via a breach in its mobile app. As a precaution, the airline locked down all 1.7 million accounts until customers change their passwords. CBC.ca reports: The app stores basic information such as a user's name, email address and telephone number, all of which could have been improperly accessed. Any credit card information on file would have been encrypted and as such protected, the company says. But additional data such as a customer's Aeroplan number, passport number, Nexus number, known traveller number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence could have been accessed, if users had them saved in their profile on the app. Air Canada said it hasn't detected any improper log-in activity since last Friday, and it is in the process of contacting the 20,000 people directly affected.

15 comments

  1. they need to give free identity monitoring by Joe_Dragon · · Score: 2

    as some of that info can be used for fraud

    1. Re:they need to give free identity monitoring by Anonymous Coward · · Score: 0

      I can't believe there's still 20000 people that will pay to get molested at an airport.

  2. App flaw by manu0601 · · Score: 1

    The article shares little details. The so called app flaw seems to be a flow in server-side API, but we are not told about its nature and criticity.

    1. Re:App flaw by chrish · · Score: 1

      The email they sent out was similarly useless. "Someone was up to no good, but nobody needs to worry about anything!"

      Also, the link they provided to change your credentials doesn't work. I didn't want to do it via the app because I use a password manager, and doing useful things on a touch device is a pain in the ass.

      --
      - chrish
  3. Air Canada has a new promo by Anonymous Coward · · Score: 0

    $29 for a flight to club baby seals

  4. This stuff won't change in the private sector. by Anonymous Coward · · Score: 0

    For most companies, "security has no ROI" is a method of operation. I have been told by many VPs, "A company will never make their quarterly numbers by 'investing' in security products", "no business has gone bankrupt due to a security breach", or "the only one that profits from more sophisticated locks is the lock maker."

    However, since insider trading isn't really a crime that is enforced these days, C-levels can not bother with security, and as soon as they hear about a breach, short their stock, then announce the breach, making mucho dinero.

  5. 20,000 ... by Anonymous Coward · · Score: 0

    ... So, all of them?

  6. Re:Hello you fuckfaces by Anonymous Coward · · Score: 0

    Your ideas intrigue me and I wish to subscribe to your newsletter.

  7. How many beavers were affected? by Anonymous Coward · · Score: 0

    Hosers

  8. Strange. by devslash0 · · Score: 1

    I'd think Ryanair would be the first.

  9. Haven't detected any improper activity because ... by gordguide · · Score: 1

    Air Canada states they haven't detected any improper login attempts, etc since the breach was discovered.

    They probably aren't going to either ... people who steal credentials from insecure servers generally wait about six months before they use the data against the victims. This makes the source of the purloined data more difficult to detect.

    Unlike in the US, Canadian Social Insurance Numbers (equivalent to Social Security numbers in the US) are not generally used as ID. The Government of Canada warns citizens not to use it for that purpose, and even to never carry their SIN card with them. It is required if the other party pays the SIN holder income, such as a job or an interest paying bank account.

    By law no one not legally required to obtain a SIN is prohibited from even asking for one. However with paper forms sometimes there is a space to enter it, as the SIN owner can voluntarily provide it, but that field cannot be mandatory in any way.

    I have never provided mine to anyone not authorized to ask for one, and as such it is not part of my Credit File. This has never resulted in any problems in applying for Credit (eg Credit Cards) although every CC application does have the field to fill out, usually down the application a bit past the required identification fields, if the SIN card owner is unaware of the law and the requirements, so many Canadians have provided it and in that case it does appear on the Credit File.

    Passport data is perhaps even more serious. I would expect that it would be valuable to certain people*, so it will be interesting to see what Air Canada suggests to those affected, and what Canada will do to deal with the breach. I would not be surprised to learn that affected individuals may be required to obtain new Passports.

    * Aside from the usual criminally minded individuals who would like to exploit any credential theft for the usual reasons, certain State actors have used forged Canadian passports in the past as part of shady operations. Notably the Mossad (Israeli Intelligence) have been caught doing so.

  10. Re:Hello you fuckfaces by Anonymous Coward · · Score: 0

    Hi APK. How is it living in the basement of your mom's duplex she left you when she fled back to Poland to enjoy her retirement free from having to babysit a retarded manchild?