Air Canada has forced a password reset for its mobile app users after spotting unauthorized access attempts which may have compromised personal data on as many as 20,000 customers.

The airline claimed to have discovered “unusual login behavior” between August 22-24.

“We immediately took action to block these attempts and implemented additional protocols to block further repeated unauthorized attempts,” it added. “As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data.”

The firm began notifying the affected users, which represent 1% of its total global app user profiles, on Wednesday and claimed it was confident the incident hasn’t affected others.

If attackers have managed to compromise accounts, they will be able to access profile data including name, email address and telephone number. However, Air Canada explained that some customers may also have added more sensitive details including Aeroplan number, passport number, NEXUS number, known traveler number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence.

All credit card information is encrypted in accordance with PCI DSS requirements, but the airline also urged customers to review their financial transactions regularly.

“We are also requiring all Air Canada mobile App users to re-set their passwords using improved password guidelines to further enhance security measures,” it added. “A more robust password provides an extra layer of protection.”

It’s unclear if users will be forced to create strong passwords or if the guidelines are voluntary.

Security experts questioned why the airline still relies on password-based authentication for customers when multi-factor authentication (MFA) represents industry best practice.

“It’s 2018. Why hasn’t the airline already mandated stronger passwords? Secondly, for personal information as important as possibly passport data, why hasn’t the airline mandated or at least offered multi-factor authentication for its users?” asked One Identity senior director, Bill Evans.

“These are relatively simple measures that could and should have been deployed prior to the challenges of the past two weeks.”

Bill Conner, CEO of SonicWall, added that some of the potentially stolen details will fetch a high price on the dark web as they cannot be easily changed.

“As threats continue to loom and intensify, total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as employee education and the securing IoT devices to prevent tampering and unauthorized access,” he concluded.

It's yet to be confirmed whether the incident came as a result of a breach of Air Canada’s systems or if hackers cracked users’ account by using previously breached data, although the relatively small number of accounts affected would suggest the latter.