Travel Breaches Hit Air Canada and Asia-Pac Hotelier

Tuesday was a busy day on the data breach front. Air Canada said that a breach of around 20,000 mobile app users had exposed passport information. At the same time, millions have been affected by an information heist targeting a Chinese hotel group with 3,500 properties across the Asia-Pacific region.

For its part, Air Canada has asked users of its Mobile+ app to reset their accounts after it detected “unusual login behavior” between Aug. 22-24.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data,” the airline said in a statement on its website.

There are approximately 1.7 million Air Canada mobile app user profiles, the company said, but those affected represent just 1 percent of that base, or 20,000. The airline notified those affected starting Wednesday– about five days after the malicious activity was verified.

While details are scant, the accessed information includes profile data stored on the Air Canada mobile App account, according to the notice. This by default includes name, email address and telephone number. However, users can choose to add additional data, such as their frequent-flier numbers, passport numbers, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence.

Credit cards that are saved to users’ profiles are encrypted and stored in compliance with security standards set by the payment-card industry (PCI) standards, the company said.

As for the passport information, it’s unlikely a bad actor can fraudulently gain a passport from the government, according to the government of Canada’s passport website. It said that it wouldn’t issue a new passport to anyone based on only passport information, without corroborating identity documents. However, it can still be very useful to criminals if combined with fraudulent Social Security cards, birth certificates and other official identifying documents.

Samuel Bakken, senior product marketing manager at OneSpan, said via email that the attack may have been avoidable if the app used stronger security.

“The details of how the attackers gained access are scant at this point, but it sounds like strong, multifactor authentication integrated into the mobile app could potentially have prevented this unauthorized access,” he noted. “Many vendors offer easy to use mobile development toolkits that makes it easy to natively integrate advanced biometric authentication into their apps.”

Meanwhile, the Huazhu hotel chain is investigating the possible leak affecting 130 million customers, which were found purportedly for sale on the Dark Web.

Details are still emerging, but police in Shanghai’s Changning District, where the company is headquartered, said late Tuesday that nearly 500 million pieces of customer-related information are included in the information trove. These include 123 million pieces of “registration data” (including name, mobile number, ID number and log-in pin); 130 million pieces of “check-in records” (including name, ID number, home address and birthdate); and 240 million pieces of “hotel stay records” (including name, credit-card number, mobile number, check-in and check-out time, consumption amount and room number).

The entire trove was advertised to be on sale underground for eight bitcoins or 520 Monero (about $56,000 at the time of this writing).

Huazhu operates 18 brands in China including AccorHotel’s Mercure and Ibis hotels, CitiGO, Crystal, Hanting Hotels, Orange Hotels and VUE.

“Given the breadth of personally identifiable information stored on hospitality industry systems, cybercriminals will continue to their attack often targeting usernames and static passwords or compromising unsecure mobile applications,” said Michael Magrath, director of Global Regulations & Standards at OneSpan, via email.