Tuesday proved to be a busy day on the data breach front. Air Canada confirmed the data breach of 20,000 mobile app users, exposing their passport information. Simultaneously, millions were affected by an information heist aiming a Chinese hotelier with 3,500 acreages across the Asia-Pacific region.
On its part, Air Canada has requested its Mobile+ app users to reset their accounts as it detected “suspicious login behavior” between August 22-August 24. The airline said in a statement on its website, “We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data.”
Approximately, there are 1.7 million Air Canada mobile app user profiles, the company said, but only 1% of that base or 20,000 users were affected. The airline alerted those affected from Wednesday, i.e. five days after the malicious activity was verified.
However, the details remain to be scant, according to the notice, leaked information included profile data stored on the Air Canada mobile app account. This per default included telephone number, email address, and name. Nonetheless, users have the option to add additional data like passport country of residence and country of issuance, passport expiration date, nationality, birthdate, gender, Known Traveler Number, NEXUS number, passport numbers, and frequent-flier number.
The company further added that the credit cards that are saved to users’ profiles are encrypted and stored in acquiescence with security rules made by the payment-card industry (PCI) standards.
As far as the passport information is considered, it’s highly questionable that a bad actor can duplicitously gain a passport from the government, stated the government of Canada’s passport website. It is being speculated that the Canadian government will not issue a new passport information without corroborating identity and merely based on passport information. However, it can still be very convenient for criminals if combined with counterfeit Social Security cards, birth certificates and other official identifying documents.
Senior product marketing manager at OneSpan, Samuel Bakken, said that the attack may have been avoidable if the app used stronger security. He further stated that “The details of how the attackers gained access are scant at this point, but it sounds like strong, multifactor authentication integrated into the mobile app could potentially have prevented this unauthorized access. Many vendors offer easy to use mobile development toolkits that make it easy to natively integrate advanced biometric authentication into their apps.”
In the meantime, the Huazhu hotel chain is reconnoitering the possible breach affecting 130 million customers, which were found professedly for sale on the Dark Web.
However, details are still up-and-coming but the police force of Shanghai’s Changning District stated on Tuesday that the information trove included nearly 500 million pieces of customer-related information. These included 123 million pieces of “registration data” (inclusive of log-in pin, ID number, name, and mobile number); 240 million pieces of “hotel stay records” (inclusive of room number, consumption amount, mobile number, name, check-in and check-out time, and credit card number); 130 million pieces of “check-in records” (including home address, ID number, name, and birthdate).
The entire hoard was publicized to be on sale secretively for 520 Monero or eight bitcoins (approx. $56,000).
Including Accor Hotel’s Mercure and Ibis hotels, CitiGO, Crystal, Hanting Hotels, Orange Hotels, and VUE, Huazhu operates 18 brands in China.
Michael Magrath, director of Global Regulations & Standards at OneSpan said, “Given the breadth of personally identifiable information stored on hospitality industry systems, cybercriminals will continue to their attack often targeting usernames and static passwords or compromising unsecure mobile applications.”