Travel Breaches Hit Air Canada and Asia-Pac Hotelier

Air Canada said 20,000 mobile app users have had passport information exposed; and millions have been affected by a breach at Asian hotel giant Huazhu.

It’s been a busy week on the data breach front. First, Air Canada said that a breach of around 20,000 mobile app users had exposed passport information. At the same time, millions have been affected by an information heist targeting a Chinese hotel group with 3,500 properties across the Asia-Pacific region.

For its part, Air Canada has asked users of its Mobile+ app to reset their accounts after it detected “unusual login behavior” between Aug. 22-24.

“We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data,” the airline said in a statement on its website.

There are approximately 1.7 million Air Canada mobile app user profiles, the company said, but those affected represent just 1 percent of that base, or 20,000. The airline notified those affected starting Wednesday– about five days after the malicious activity was verified.

While details are scant, the accessed information includes profile data stored on the Air Canada mobile App account, according to the notice. This by default includes name, email address and telephone number. However, users can choose to add additional data, such as their frequent-flier numbers, passport numbers, NEXUS number, Known Traveler Number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence.

Credit cards that are saved to users’ profiles are encrypted and stored in compliance with security standards set by the payment-card industry (PCI) standards, the company said.

As for the passport information, it’s unlikely a bad actor can fraudulently gain a passport from the government, according to the government of Canada’s passport website. It said that it wouldn’t issue a new passport to anyone based on only passport information, without corroborating identity documents. However, it can still be very useful to criminals if combined with fraudulent Social Security cards, birth certificates and other official identifying documents.

Samuel Bakken, senior product marketing manager at OneSpan, said via email that the attack may have been avoidable if the app used stronger security.

“The details of how the attackers gained access are scant at this point, but it sounds like strong, multifactor authentication integrated into the mobile app could potentially have prevented this unauthorized access,” he noted. “Many vendors offer easy to use mobile development toolkits that makes it easy to natively integrate advanced biometric authentication into their apps.”

Meanwhile, the Huazhu hotel chain is investigating the possible leak affecting 130 million customers, which were found purportedly for sale on the Dark Web.

Details are still emerging, but police in Shanghai’s Changning District, where the company is headquartered, said late Tuesday that nearly 500 million pieces of customer-related information are included in the information trove. These include 123 million pieces of “registration data” (including name, mobile number, ID number and log-in pin); 130 million pieces of “check-in records” (including name, ID number, home address and birthdate); and 240 million pieces of “hotel stay records” (including name, credit-card number, mobile number, check-in and check-out time, consumption amount and room number).

The entire trove was advertised to be on sale underground for eight bitcoins or 520 Monero (about $56,000 at the time of this writing).

Huazhu operates 18 brands in China including AccorHotel’s Mercure and Ibis hotels, CitiGO, Crystal, Hanting Hotels, Orange Hotels and VUE.

“In the last few years, breaches have gone from affecting a few thousand individuals at a time to exposing the data of millions of users on a regular basis. However, a breach that affects 130 million customers is massive enough to stay at the podium of breaches for a while,” said Ryan Wilk, vice president of customer success at NuData Security, via email. “This news needs to remind merchants and other companies transacting online that their systems are never entirely safe from breaches; these can happen at any time, and companies need to have their post-breach process ready.”

The two breaches are only the latest to affect the travel industry. Last summer saw the SABRE breach affect numerous chains, including Trump Hotels, Loews Four Seasons and Hard Rock.  Earlier this year, Delta was among those caught up in a chatbot compromise and data leak. And in March, the Orbitz travel booking site saw the compromise of 880,000 payment cards.

“Given the breadth of personally identifiable information stored on hospitality industry systems, cybercriminals will continue to their attack often targeting usernames and static passwords or compromising unsecure mobile applications,” said Michael Magrath, director of Global Regulations & Standards at OneSpan, via email.

Suggested articles