Cyber Incident Victim: Air Canada
Date:
Aug 2018
Location:
Canada
Summary
A cybersecurity breach at Air Canada's mobile app potentially exposed personal data of approximately 20,000 users, including names, contact details, and sensitive travel-related information such as passport numbers and Aeroplan membership details stored in profiles, though encrypted payment data remained secure. The airline detected unauthorized login activity over a brief period, prompting a precautionary lockdown of all 1.7 million app accounts and mandatory password resets, which caused user access difficulties due to high demand. Security experts criticized the company's outdated password policies and suggested the incident likely resulted from opportunistic cybercrime rather than a targeted attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Air Canada detected unusual login activity on its mobile application between August 22 and August 24, 2018, prompting an investigation that revealed potential unauthorized access to customer data. The airline publicly disclosed the breach on August 29, 2018, notifying approximately 20,000 customers—representing about 1% of its 1.7 million mobile app users—that their personal information may have been improperly accessed. Compromised data included basic profile details such as names, email addresses, and telephone numbers stored within the app. For users who had saved additional travel documentation in their profiles, exposed information could have included Aeroplan loyalty numbers, passport numbers and expiration dates, Nexus identification, known traveller numbers, gender, birth dates, nationality, and country of residence. The company confirmed credit card information remained protected through encryption during the incident. No unauthorized logins were detected after August 24, though the investigation remained ongoing at the time of disclosure.
In response to the breach, Air Canada proactively locked all 1.7 million mobile app accounts as a precautionary measure on August 29, requiring users to reset their passwords before regaining access. The company initiated direct notifications to the 20,000 potentially affected customers and advised all app users to change their passwords despite the limited scope of confirmed compromises. Password reset attempts caused technical difficulties for many customers due to high system demand, with Air Canada recommending repeated attempts until successful. The breach exposed security concerns regarding the app's password policy, which limited passwords to eight characters at the time of the incident. While passport-related identity theft risks were assessed as low by authorities provided victims maintained valid documentation, the incident highlighted potential vulnerabilities in Air Canada's authentication systems and data protection practices. The airline maintained continuous monitoring following the containment of the unauthorized access period.