Skip to content

Air Canada mobile app data breach spurs class action for Privacy Act violations

After announcing a data breach of its mobile app potentially allowing unauthorized access to up to 20,000 accounts, Air Canada faces a class action for Privacy Act violations. Foroohar Rafiei of B.C.
AC Dreamliner
Air Canada’s new, direct service from YVR to Melbourne, Australia will use the new, Boeing 787-9 Dreamliner. Photo submitted

After announcing a data breach of its mobile app potentially allowing unauthorized access to up to 20,000 accounts, Air Canada faces a class action for Privacy Act violations.

Foroohar Rafiei of B.C. and Scott Jeremy Hanlon of Ontario filed a notice of civil claim under the Class Proceedings Act in BC Supreme Court on Aug. 31 on behalf of Canadian residents who had an Air Canada mobile+ account or passenger profile with the airline. The airline’s mobile app, according to the claim, allows users to “manage their travel with Air Canada,” allowing mobile booking, check-ins and cancellations, features also available on the company’s website.

On August 29, Air Canada revealed that a security breach a week earlier had compromised its mobile apps and disabled access to 1.7 million users, who were later required to change their passwords.

“We recently detected unusual login behaviour with Air Canada’s mobile app between Aug. 22 and 24, 2018,” the company announced. “We immediately took action to block these attempts and implemented additional protocols to block further repeated unauthorized attempts.”

The company locked its mobile app and found that about 20,000 profiles “may potentially have been improperly accessed.”

Before the breach, the class claims Air Canada’s app only allowed for passwords of up to 10 characters with no special character requirements, and lacked two-factor authentication to protect users’ sensitive personal data.

“Class members, prior to August 29, 2018, were prohibited from using stronger passwords such as one with more than 10 characters or with special characters within,” the claim states. “The security breach is of the most serious type as sensitive information including birthdate, government ID information, travel history and travel plans were stored on the Air Canada mobile+ accounts.”

Lead plaintiffs Rafiei and Hanlon seek class certification and damages for breach of contract, negligence and Privacy Act violations.

The allegations have not been tested or proven in court, and Air Canada had not responded to the claim by press time.