Users of Air Canada’s mobile app account have become the latest victims of a data breach. After noticing unusual login activity on its app, Air Canada took a number of security steps in relation to the breach, including locking all its customers out of their accounts.
Air Canada says that around 20,000 user profiles have been accessed. The information accessed includes:
- email address; and
- telephone number.
It may include:
- loyalty account number;
- passport number;
- passport expiration date;
- passport country of issue;
- certain US Customers’ identity numbers;
- date of birth;
- nationality; and
- country of residence.
Air Canada says that all credit card information is encrypted and, therefore, safe.
What is the threat to individuals?
The unusual aspect of this breach is the loss of detailed passport information. Such information is often used by companies seeking to identify individuals before providing them with products or services such as mobile phones or utilities. It is seen as a more secure way of identifying an individual. The loss of such information could lead to identity theft which, in turn, could lead to affected individuals being denied credit. It may also lead to the issue of further identification documents using the stolen information.
What can companies learn from this data breach?
Continually review your data security
Companies have a legal responsibility to ensure that their security practices maintain industry best practice. In this case, Air Canada has been criticised for failing to require that ‘special characters’ (not just numbers or letters) be used in customer passwords. It has resolved this now by requiring that all its app customers change their passwords to something that follows a stricter standard. Such maintenance of best practice needs to be reflected in a company’s record keeping so that changes to Information Security Policies can be shown to regulators if notifiable breaches occur.
Be ready to respond when data breaches occur
Air Canada took 5 to 7 days to notify affected customers of the data breach. We do not know whether any EU citizens are affected by this breach and, therefore, whether the GDPR applies to it, but if it does and there is a “high risk to the rights and freedoms” of individuals (as would appear to be the case here) the GDPR requires that data controllers such as Air Canada notify users “without undue delay”. It is questionable whether taking a week to tell individuals that their passport details have been stolen would satisfy this requirement of the GDPR. Companies need to have a written incident response plan in place so that when such data breaches occur they can respond quickly and in an organised and informed manner.
Know when to notify a breach and to whom
Companies need to know whether to notify a breach to the regulator and whether to notify individuals affected by the breach. Under the old law in Europe, no such notification was mandatory. However, under the GDPR, companies need to notify to the regulator if there is a “risk to the rights and freedoms” of individuals. They need to notify individuals if there is “high risk” to their “rights and freedoms”. In both cases, such notification needs to be “without undue delay”. Somebody within a company needs to be aware of the guidance in this area so that an informed decision can be made quickly and a record made of that decision, including why it was made.
How to minimise the risk of a data breach
Your company should have a privacy compliance programme in place that covers all data protection laws including the GDPR. It is crucial that you have a cross-departmental team of individuals responsible for implementation and maintenance of that programme so the risk is as minimal as possible. This team will educate and inform their workforce of the importance of protecting personal data and how each employee can contribute to that effort. This creates a culture of compliance and a data aware workforce that will ask questions and understand their role in data protection.
These steps will reduce the risk of breaches such as that experienced by Air Canada and provide a clear framework of how to respond in the event that such a breach does occur. For more details on what a comprehensive privacy compliance programme looks like, you could do a lot worse than take a look at The Privacy Compliance Hub.