Air Canada has asked Mobile+ app users to reset their accounts as a security precaution. Due to the large volume, some customers may experience a delay in the process to change their passwords.

Air Canada recently posted a notice on its website, asking its mobile app users to reset their accounts as a security precaution, due to the fact that they “detected unusual login behavior” within the app between August 22-24.

We ask customers to be patient and assure them their data is protected and not accessible to unauthorized users. We apologize for the delay. Please wait several hours and try again.

There are approximately 1.7 million Air Canada mobile App user profiles, with 20,000 profiles potentially affected.

According to the statement, “We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data. To reactivate your Air Canada mobile App account, please see the instructions emailed to you or follow the prompts the next time you log into your Air Canada mobile App.”

According to Mark Sangster, VP and industry security strategist at Canadian-based cybersecurity company eSentire (and also an Air Canada mobile app user):

“We have seen cybercriminals tune their attacks to lucrative targets, reaching beyond the obvious financial institutions. In this case, a major airline’s mobile app was the target. It’s a strategic one given the fact that many users have financial information, such as credit card information, and valuable personally identifiable information, such as addresses, birthdates, passport numbers and expirations, next of kin contacts, etc. What’s worse, this treasure trove of personal information often belongs to users who frequently travel, spending in different countries and geographies, making it harder for credit card providers to identify anomalous spending tied to their accounts.

According to the Air Canada notice, the suspicious behavior on the app was detected between August 22-24, and the airline took immediate action to disable mobile accounts. It’s refreshing to see such mercurial response, given the number of breaches we’ve seen lag for months as the affected companies continue operations either oblivious to the breach, or worse, failing to notify affected customers. The window between the point of detection and point of response is critical.

Once consumers are made aware of the security breach, they can take defensive actions, like changing their passwords, notifying their financial institutions of the breach to establish credit and fraud watches, and monitor their accounts for aberrant transactions. In the cases where companies fail to notify customers in a timely fashion, the window of exploitation remains open, and all too often metastasizes through the organization and customer base leading to serious financial consequences for its customers and its own business.

As the frequency and voracity of cyber attacks continue to increase, privacy and protection laws, such as the ones introduced in Europe (General Data Protection Rules), and here in Canada with the Personal Information Protection and Electronic Documents Act (PIPEDA), become more critical. These laws need to tighten, ensuring companies have well-understood rules and triggers for privacy and data breach notification, timelines for response, and fully understand their obligations when it comes to protecting the information of its employees and customers. Until then, it’s open season on our data and hard-earned wealth.”