Security Breach Locks 1.7 Million Users Out Of Air Canada App

Filed Under: Air Canada

If you are an Air Canada flyer and have tried to access their mobile app, you may have found that you are unable to access it over the past week and are being forced to change your password. That is because Air Canada has identified that there has been a security breach between August 22 and 24, and some of the personal information of app users ‘may have been compromised.’

To be on the safe side, Air Canada is forcing all 1.7 million app users to change their password, to ensure their accounts will be safe in the future.

Air Canada says that only around 1% (so ~20,000) of users have been affected.

They have not disclosed exactly what personal information may have been compromised, however it may include users’ names, email addresses and telephone numbers. If users chose to save the additional following information to their app profile, it may have been compromised:

  • Aeroplan membership number
  • Known Traveller Number
  • Passport number (and country of issue and expiry date)
  • Gender
  • Nexus number (Canadian-USA Trusted Traveller Number)
  • Date of birth
  • Nationality
  • Country of residence

Any credit card information stored is encrpyted, and has not been improperly accessed.

Air Canada has released the following statement for app customers:

We detected unusual login behaviour with Air Canada’s mobile App between Aug. 22-24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data.

To reactivate your Air Canada mobile App account, please see the instructions emailed to you or follow the prompts the next time you log into your Air Canada mobile App.

Your credit card information is protected. As a continued best practice, we recommend you should always monitor your credit card transactions and contact your financial services provider immediately if you become aware of any unusual or unauthorized activities.

Your Aeroplan password is not stored on Air Canada’s mobile App. As a best practice, we recommend you monitor your Aeroplan transactions and contact Aeroplan immediately if you become aware of any unusual or unauthorized Aeroplan transactions.

If you stored your passport information on your profile, the Government of Canada’s passport website at site which may not meet accessibility guidelines. advises that the risk of a third party obtaining a passport in your name is low if you still have your passport, proof of citizenship and supporting identity documents. Also, according to the website, the Government of Canada cannot issue a new passport to anyone based on only the information found in a passport.

Your privacy and the protection of your data are extremely important to Air Canada. Our security is multi-layered, and we work with leading industry experts to continuously improve our practices as technology and security procedures evolve.

You can continue to use Air Canada’s mobile App and mobile products with confidence.

Air Canada says it is directly contacting the roughly 1% of customers who have had their information accessed by email, and has locked all accounts (forcing the password reset) as an additional security measure.

Existing passwords for desktop accounts are not stored on the app so have not been compromised.

They assure those members who do not receive an email that their account has not been improperly accessed.

Bottom line

Security breaches are becoming more and more common, and I guess it’s lucky that ‘only’ about one percent of members were affected, even though this was 20,000 members. I hate having to change my password for anything unnecessarily, as it is then different to my other passwords. I regularly have trouble remembering what it is, and end up having to continually change it.

But kudos to Air Canada for being so open, proactive and honest about the problem, and consequences, and what they are doing to manage it. This is awful publicity for them.

Have you been contacted by Air Canada about your mobile app account?

(Tip of the hat to LoyaltyLobby)

  1. Just a point of clarification, the Nexus number is a Canada-USA trusted traveler number, not a Canadian frequent traveller (sic) number.

  2. It’s bad practise to use the same password for all your accounts, so it’s a good thing your AC one is now out of sync with “the rest of them”.

  3. Yes I have been contacted by Air Canada and I am part of the 1% that has been compromised

    No big deal, try to log in, get an error message, change password, good to go

  4. @John Read

    You are fine with your personal details being hacked?

    Funnily enough there has been a concerted effort by AC in the Canadian media to downplay the dangers of access to the passport and Nexus numbers. Likewise certain Canadian security ‘experts’ have been weighing into the conversation in the media with similarly pitched ideas, almost reading from then same hymsheet as AC itself. I have no doubt AC are media managing experts to downplay the leak of this data.

    Meanwhile over on the BBC it’s being noted that compromise of one’s own government ID, in this case passport/Nexus, is probably one of the most serious kinds of identify theft.

    AC are really hoping that folks don’t realize how serious of a hack this is. In terms of the data hacked this is as serious as the Equifax hack.

Leave a Reply

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Your email address will not be published. Required fields are marked *