Air Canada, the largest airline of Canada by fleet size and passengers carried, has reported a massive data breach of its app, putting thousands of passenger passport details, among other personal information, at risk.
Air Canada’s Response
The airline issued a warning to mobile app users that their personal data may have been compromised in a cyberattack. This may placs those who entered their details at risk of identity theft. It is believed approximately 20,000 customers may have had their data stolen. All Air Canada app users have been asked to change their passwords.
Profile data, such as names, email addresses, passport numbers, genders and dates of birth, among others, can all be stored in the airline’s app – making this stored data a potential target in the attack.
It is not yet clear how the data attack happened, CBC reports. However, the public became aware of the issue after Air Canada informed its customers via email that it, “detected unusual log‑in behavior with Air Canada’s mobile app between Aug. 22‑24, 2018.”
Previous Security Concerns
Air Canada has been criticized by industry commentators over its relatively weak security system, especially its password system. According to Amit Sethi, who is a security consultant at Synopsys, Air Canada only requires passwords to contain between six and 10 characters and that it only accepts letters and numbers, but no special characters.
Sethi warns that “Many users will choose short and easily guessable passwords. Moreover, users that want to use strong passwords cannot do so.”
These weak password controls place Air Canada outside of the Canadian government’s own cybersecurity advice requiring all passwords to “include at least one character that isn’t a letter or number” and be a minimum length of eight characters.
Password Best Practices
Strong passwords are the first line of defense into a network. If passwords are short or simple to guess, it’s relatively easy for a malicious actor to brute force these weak accounts and compromise the network.
- Passwords should have a minimum length of at least twelve characters (think passphrase).
- Passwords should contain numeric, upper and lowercase alphabetic, and special characters.
- Use a different password/passphrase for each account.
- Users should not re-use a password.