Air Canada’s app has suffered a data breach resulting in the suspected loss of thousands of its customers’ personal details.
The airline has warned that users who had entered their passport details into the product may have had that data stolen.
Experts warn that the theft of such information would pose a serious ID fraud risk.
The firm has also been criticised for its relatively weak password system.
Although it is not clear how the breach occurred, one cyber-security specialist highlighted that Air Canada’s website still says account passwords should contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols.
“Many users will choose short and easily guessable passwords,” commented Amit Sethi, a security consultant at Synopsys.
“Moreover, users that want to use strong passwords cannot do so.”
According to the Canadian government’s own cyber-security advice, all passwords should “include at least one character that isn’t a letter or number” and be a minimum length of eight characters.
The firm said it has adopted “improved password guidelines”.
Its app now says that passwords should be at least 10 characters long and contain one symbol.
Air Canada said that it detected unusual login activity between 22 and 24 August and decided to lock down all 1.7 million of its accounts as a consequence.
It believes data has been stolen from about 20,000 of these, and has informed members of this group via email.
However, all customers will need to reset their logins to use the app again.
The airline says customers’ credit card details were encrypted, so should not be at risk.
But basic profile data that could have been exposed includes names, email addresses and phone numbers.
In addition, it warned the following details may also have been copied if they had been provided:
- passport number
- passport country of issuance
- passport expiration date
- country of passport issuance
- country of residence
- birth date
The City of London’s Action Fraud team told the BBC that the “consequences of having your passport information accessed can be severe”.
It said banks, insurance firms and mobile phone providers were among businesses that request the data to set up accounts, but do not always require sight of the physical document.
Victims can face wrecked credit scores and bills, from which it can take months to extricate themselves.
In some cases, Action Fraud added, it is even possible to use the information to obtain genuine documents such as driving licences and new passports.
“The loss of passport data in this breach makes it unusual,” commented Prof Alan Woodward, from the University of Surrey.
“Like driving licences, passports are considered government-issued ID and it is assumed that only the holder will know the contents.
“But we’re at the point where so much sensitive data is being released via such breaches that we can no longer assume that mere knowledge of what is written in a passport is sufficient to verify ID online.”
Air Canada has recommended that its customers “regularly review their financial transactions, be aware of any changes to their credit rating, and contact their financial services provider” if they become aware of unusual activity.