Air Canada app data breach involves passport numbers Published duration 29 August 2018

image copyright Reuters image caption Experts say the loss of password details could be "severe"

Air Canada's app has suffered a data breach resulting in the suspected loss of thousands of its customers' personal details.

The airline has warned that users who had entered their passport details into the product may have had that data stolen.

Experts warn that the theft of such information would pose a serious ID fraud risk.

The firm has also been criticised for its relatively weak password system.

Although it is not clear how the breach occurred, one cyber-security specialist highlighted that Air Canada's website still says account passwords should contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols.

"Many users will choose short and easily guessable passwords," commented Amit Sethi, a security consultant at Synopsys.

"Moreover, users that want to use strong passwords cannot do so."

image copyright Air Canada image caption Air Canada's website still says no special characters are allowed when creating an account password

According to the Canadian government's own cyber-security advice, all passwords should "include at least one character that isn't a letter or number" and be a minimum length of eight characters.

The firm said it has adopted "improved password guidelines".

Its app now says that passwords should be at least 10 characters long and contain one symbol.

Account lock-outs

Air Canada said that it detected unusual login activity between 22 and 24 August and decided to lock down all 1.7 million of its accounts as a consequence.

It believes data has been stolen from about 20,000 of these, and has informed members of this group via email.

However, all customers will need to reset their logins to use the app again.

The airline says customers' credit card details were encrypted, so should not be at risk.

But basic profile data that could have been exposed includes names, email addresses and phone numbers.

In addition, it warned the following details may also have been copied if they had been provided:

passport number

passport country of issuance

passport expiration date

country of passport issuance

nationality

country of residence

birth date

The City of London's Action Fraud team told the BBC that the "consequences of having your passport information accessed can be severe".

It said banks, insurance firms and mobile phone providers were among businesses that request the data to set up accounts, but do not always require sight of the physical document.

Victims can face wrecked credit scores and bills, from which it can take months to extricate themselves.

In some cases, Action Fraud added, it is even possible to use the information to obtain genuine documents such as driving licences and new passports.

"The loss of passport data in this breach makes it unusual," commented Prof Alan Woodward, from the University of Surrey.

"Like driving licences, passports are considered government-issued ID and it is assumed that only the holder will know the contents.

"But we're at the point where so much sensitive data is being released via such breaches that we can no longer assume that mere knowledge of what is written in a passport is sufficient to verify ID online."