Hackers may have accessed detailed passport information on thousands of Air Canada customers after its app was compromised late last week
Security experts have warned that the compromise of passport data in this week’s Air Canada data breach could pose a serious risk of identity fraud for those affected.
The breach involved Air Canada’s mobile app, which is integrated with its Aeroplan frequent flyer programme.
The airline detected unusual login activity between 22 and 24 August and in response it locked all 1.7 million users out of their accounts, forcing them to reset their passwords.
The firm disclosed the incident publicly this week, but didn’t disclose further details on how the breach may have occurred.
It said about 20,000 users may have had data stolen, including passport information, if customers had chosen to enter that data.
The affected users have been informed via email, Air Canada said.
It said credit card information is encrypted and therefore should not be at risk.
But the app collects basic profile information that includes names, email addresses and phone numbers, and this may have been exposed.
In addition, other information may have been compromised if users entered it, including passport number, country of issuance and expiration date, as well as the user’s nationality, country of residence and birth date.
Security experts said passport data can be used to open accounts with organisations such as banks, insurance firms and mobile phone providers, which can lead to fraudulent bills and issues with the individual’s credit score.
Air Canada said that according to the Canadian government, the risk of third parties fraudulently obtaining a passport is “low”, even having obtained details on the document.
“According to the website, the Government of Canada cannot issue a new passport to anyone based on only the information found in a passport,” Air Canada stated.
The airline said data protection is “extremely important” and that it had acted immediately to mitigate the issue when it occurred.
“Our security is multi-layered, and we work with leading industry experts to continuously improve our practices as technology and security procedures evolve,” the airline stated.
It recommended that customers “regularly review their financial transactions, be aware of any changes to their credit rating, and contact their financial services provider” if unusual activities occur.
Fraud prevention service Cifas said identity fraud cases reached record levels last year, due in part to the increased availability of personal data online.
While such scams fell slightly overall in the first six months of this year, the first drop since 2014, certain areas continued to rise, with fraudulent applications for plastic card accounts rising sharply.
The organisation said the increased use of personal information in apps and online meant individuals and organisations alike needed to take more care in protecting sensitive data.
“With identity fraud remaining uncomfortably high, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility,” said Sandra Peaston, director of strategy, policy and insight at Cifas.