Air Canada; My Home and Native (Airline)
Each country has its own set of airlines servicing its area. Based on the market, certain countries have more or less than the others. These fly throughout their respective nation and world. Most persons, as a national course of business, go online, enter their information, including credit card numbers, to purchase the airline tickets. This occurs throughout the globe every single day without an issue. An option also is to do this with a mobile device.
Air Canada has a number of users purchasing tickets. A portion of these purchases are done on a mobile device using the mobile app. These were the focus of the attack. A subset of these, who had entered into the system their passport information, may have had their data stolen.
Air Canada had been previously criticized for their weak password system. The prior convention used was 6-10 characters (letters and numbers), but no other symbols. With this possibly short passwords in place, there are two issues. One is the lack of complexity with the acceptable passwords, and the other is the potential for the users to use these passwords across multiple domains. In comparison, the official guidance from the Canadian government is for passwords to have a minimum length of eight characters and at least one character that is not a letter or number. Seemingly, Air Canada would have followed the guidance from their own government.
After the attack Air Canada required the password to be at least 10 characters and one symbol. Air Canada was not sure yet how the mobile app breach occurred. This was a relatively serious issue as approximately 20k account’s data is believed to have been stolen. This is approximately 1% of their clientele. The data did not include the credit card details, as these were encrypted. This did include the client’s name, email address(es), phone numbers, passport numbers, passport country of issuance, expiration date, nationality, gender, and country of residence.
This list is rather substantial and the data someone would need to assume another’s identity. Also the attackers, or persons subsequently with this data could set up other accounts at banks, open credit cards, and other actions which would negatively impact the user’s credit scores.
On a tangent, Air Canada did however respond quickly to the issue. Their effort is applauded. The business also updated the password convention to a more appropriate level.
The attack and compromise would not have been something unknown for an extended period. There had been a large, unusual level of activity between August 22-24, 2018. This was in the form of the large number of log-ins during this period. The volume was well outside of the normal value, even with a margin of error attached.
The airline, to be thorough, locked down the entirety of the 1.7M accounts. The management did not want subsequent issues continuing if a handful of the accounts were missed. In order to continue to use the service, the users would need to reset their password to access their account again.
Passwords are a touchy subject with users. The users want passwords that are easy to remember and short. In the alternative, the users would like to not use passwords at all. However, some form of authentication is required. For the users, dependent on the use case, a password manager or generator may work well. Also using MFA would be beneficial.
BBC News. (2018, August 29). Air canada app data breach involves passport numbers. Retrieved from https://www.bbc.co.uk/news/technology-45349056
Constantin, L. (2018, August 30). Hackers access data. Retrieved from https://securityboulevard.com/2018/08/air-canada-resets-customers-passwords-after-hackers-access-data/
Dunn, J.E. (2018, August 30). Air canada resets 1.7 million accounts after app breach . Retrieved from https://nakedsecurity.sophos.com/2018/08/30/air-canada-resets-1-7-million-accounts-after-app-breach/
Evans, P. (2018, August 29). Air canada mobile app breach affects 20,000 people. Retrieved from https://www.cbc.ca/news/business/air-canada-mobile-app-1.4802879
Johnson, B. 92018, August 30). All 1.7 million air canada app users must reset passwords after breach. Retrieved from https://www.itworldcandda.com/article/all-1-7-million-air-canada-app-users-must-reset-password-after-breach/
Osborne, C. (2018, August 30). Air canada reveals mobile data breach, passport numbers potentially exposed. Retrieved from https://www.zdnet.com/article/air-canda-reveals-mobile-data-breach-passport-numbers-potentially-exposed/
Reynolds, C. (2018, August 29). Air canada says mobile app breach may affect up to 20,000 customers. Retrieved from https://www.ctvnews.ca/business/air-canda-says-mobile-app-breach-may-affect-up-to-20-000-customers-1.4072467
Seals, T. (2018, August 30). Travel breaches hit air canada and asia-pac hotelier. Retrieved from https://threatpost.com/travel-breaches-hit-air-canda-and-asia-pac-hotelier/137059/
Security Experts. (2018, August 30). Air canada breach. Retrieved from https://www.informationsecuritybyzz.com/expert-comments/security-experts-comments-air-canada-breach/
Whittaker, Z. (2018, August 29). Air canada confirms mobile app data breach. Retrieved from https://techcrunch.com/2018/08/29/air-canada-confirms-mobile-app-data-breach/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.