Air Canada Presses Reset After App Security Sanfu: Air Canada has forced the users to reset passwords for mobile app after that spotting unauthorized access that attempts which may have compromised the personal data on as many as 20,000 customers.
The airline claimed that they had discovered “unusual login behavior” between the August 22-24.
“We immediately took action to block these attempted and implemented additional protocols to block further repeated unauthorized attempts,” it added. “As an additional security precaution, we have locked all Air Canada mobile app account to protect our customers’ data.”
They have started notifying their affected users, which presented over 1% of its total global app user profile, on Wednesday and claimed it was confident the incident hasn’t affected others.
If the attackers have managed to compromise the accounts, they will be able to access the profile data which includes the name, email address and telephone number. However, Air Canada explained that some customers may also have added confidential details that might include the Aeroplan number, password number, NEXUS number, known traveler number, gender, birth date, nationality, password expiration date, passport country of issuance and country of residence.
All of the credit cards information is encrypted in accordance with PCI DSS requirements, but the airlines also urged their customers to review their financial transactions regularly.
“We are also requiring all Air Canada mobile App users to re-set their passwords using improved password guidelines to further enhance the security measures,” it added. “A more robust password provides an extra layer of protection.”
Well, it is unclear that if the users will be forced to create strong passwords of if the guidelines are voluntary.
The security experts questioned the airline that that they still do rely on password-based authentication for customer when there is multi-factor authentication (MFA) represents the industry best practice.
“It’s 2018. Why hasn’t the airline already mandated stronger passwords? Secondly, for personal information as important as possibly password data, why hasn’t the airline mandated or at least offered multi-factor authentication for its users?” asked One Identity senior director, Bill Evans.
“There are relatively simple measures that could and should have been deployed prior to the challenge of the past two weeks.”
Bill Conner, the CEO of SonicWall, added that some of these potentially stolen confidential details will fetch a high price on the dark web as they cannot be easily changed.
“As threats continue to loom and intensify, total end-to-end security is key, including a layered approach to security across the wired, wireless, mobile and could networks, as well as employee education and the securing IoT devices to prevent the tampering and unauthorized access,” he concluded.
It is not yet confirmed that the attacker cracked the users account by using the previously breach data.