Air Canada says 20,000 mobile app users might be affected by a data breach. 1.7 million customers are locked out until they update their passwords. The airline says it detected unusual login activity last week and tried to block the hacking attempt, locking the app accounts as an additional measure. Mobile app users received an email Wednesday morning alerting them as to whether their account had been affected.
Please see below for commentary on this news:
Jake Moore – Security Specialist at ESET:
“Although this is a massive breach in customer data and confidence, Air Canada are locking people out of their accounts until they update their passwords. This is a great way to encourage people to think about their passwords should they require access back into it. In fact, this is now an opportunity to think about using a password manager or at least a password generator to help customers with their general cyber awareness and security. Attacks like this are becoming far too common but we need to learn from them so making it compulsory to gain access back into the accounts is not only an positive security measure on their behalf, it also offers a moment for customers to think twice about their passwords. Let’s just hope it’s not an incremental “yourcatsname.2”.
Israel Barak, Chief Information Security Officer at Cybereason:
“The Air Canada breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone. Collectively, this is a blow to our privacy and Air Canada joins a growing list of organizations that have faced a knock down punch. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
Bill Conner, CEO at SonicWall:
“No device is safe in the cyber arms race, evidenced by today’s Air Canada mobile app breach. The personal details that were compromised such as passport information, nationality and date of birth, fetch a high price on the dark web, as they’re not easily changed and have a longer shelf-life. I applaud Air Canada’s rapid response in alerting its customers, which isn’t always the case with today’s breaches. As threats continue to loom and intensify, total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as employee education and the securing IoT devices to prevent tampering and unauthorized access.”
Bill Evans, Senior Director at One Identity:
“While it’s interesting that Air Canada has issued a call for all users of its mobile app to update their passwords, it does introduce some interesting questions into the mix. First, according to Air Canada, “Users can reactivate their account along stricter password guidelines by following instructions emailed to them or prompts when logging in.” It’s 2018. Why hasn’t the airline already mandated stronger passwords? Secondly, for personal information as important as possibly passport data, why hasn’t the airline mandated or at least offered multi-factor authentication for its users? These are relatively simple measures that could have (should have) been deployed prior to the challenges of the past two weeks.
It should be noted however, that Air Canada is claiming that its decisions to essentially shut down the app and require all users to reactivate their accounts, is a good one. It’s always best to err on the side of caution which Air Canada has done in this case. On the other hand, it’s just another example of the axiom, “if you think being secure is expensive, try being unsecure.” Air Canada ought buckle its seat belts as there’s going to be some customer turbulence over the next several days.”
Samuel Bakken, Senior Product Marketing Manager at OneSpan:
“Thankfully the airline was able to detect the breach and keep the number of affected accounts to 20,000 – but tell that to the individuals whose privacy has been violated. Such an incident will affect victims’ — not to mention prospective customers’ — trust in Air Canada and may result in decreased usage of the mobile app or, in the end, customer defection. Banks and financial institutions know that maintaining trust in the mobile channel via strong authentication and security is absolutely imperative to customer acquisition and retention. The details of how the attackers gained access are scant at this point, but it sounds like strong, multifactor authentication integrated into the mobile app could potentially have prevented this unauthorized access. Many vendors offer easy to use mobile development toolkits that makes it easy to natively integrate advanced biometric authentication into their apps.”
Amit Sethi, Senior Principal Consultant at Synopsys:
“There is simply no excuse for organisations to still be relying solely on passwords for authentication. In this case, the hack might have been related to the Air Canada mobile app. Everyone that uses a mobile app has a mobile device that they can use to enroll in several types of multi-factor authentication.
Moreover, there is no excuse to have a password policy like the one that Air Canada currently has: 6-10 characters with no special characters allowed.
Organisations that are handling sensitive data need to do better than single-factor authentication using weak passwords.”
Tim Mackey, Technical Evangelist at Synopsys:
“This looks like an opportunistic “hack” in a vein quite similar to that of the Uber “hack” last fall. Development teams using public source code systems like GitHub and public continuous integration (CI) systems like Travis-CI need to recognise that any developer activity which causes a push to a public repository or a public branch can be viewed by others.
To combat the potential for credentials, configuration information and data from leaking out, these teams need to have strong policies surrounding how debugging of CI occurs, where forks of code by core developers are located, and the conditions under which a push to a public branch for CI occurs. The increasing popularity of hosted development tools like GitHub, Jira and Travis-CI make them ideal sources of information for malicious actors.
Consumers of hosted tools should ensure the security requirements their organisation places on code being developed can be met by these tools and that they’re correctly configured to meet those requirements. Put another way, while it’s possible to “outsource” the management of developer tooling, it’s very likely the default configuration isn’t appropriate to your requirements and you should invest in ensuring your security requirements are met.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
“HUAZHU is the latest breach that has affected the hospitality industry. Last summer the SABRE breach affected numerous chains including Trump Hotels, Loews Four Seasons and Hard Rock. Given the breadth of personally identifiable information stored on hospitality industry systems, cyber criminals will continue to their attack often targeting usernames and static passwords or compromising unsecure mobile applications.
“The hospitality industry is all about customer service. Given the advancements in authentication technologies, upscale properties can differentiate themselves by offering the latest, frictionless adaptive authentication methods combining behavioral biometrics and machine learning and well as fingerprint and facial recognition. These technologies can enhance the overall customer experience from online booking, registration, check-out, and entering their guest room.”
David P. Vergara, Head of Security Product Marketing at OneSpan:
“No security measures can fully protect against mind-numbingly careless behavior on the part of internal development teams. If, indeed, this breach was tied to unsecured copies of the hotel database being released, hotel customers should be furious and the hotel should be responsible, and providing tools/services to protect customers from fraud. In this case internal training and adoption of best practices from an IT security and development perspective need to be implemented immediately. Additionally, a full assessment of security technologies should be conducted, including the use of MFA.”