Between August 22 and 24, 2018, Air Canada detected unusual login behaviour on its smartphone mobile application and moved quickly to lock all 1.7 million app user accounts as a precautionary measure. The airline disclosed the incident on August 29, 2018, confirming that approximately 20,000 profiles — roughly 1 percent of registered users — had been improperly accessed.

Security experts assessed the attack as a credential-stuffing campaign. The mobile app required only an email address and password for authentication, making it straightforward to target with large lists of credentials obtained from unrelated prior data breaches. Air Canada had not implemented multi-factor authentication or robust rate-limiting on login attempts at the time.

The data exposed varied depending on what users had stored in their profiles. Basic fields — name, email address, and phone number — were accessible for all affected accounts. Users who had stored travel document details faced significantly greater exposure: passport numbers, passport expiry dates, country of issuance, NEXUS trusted traveller numbers, Known Traveller Numbers, gender, dates of birth, nationality, and country of residence were all potentially viewable by attackers. Air Canada confirmed that credit card data was not compromised because it was stored in encrypted form in compliance with PCI DSS standards, and Aeroplan passwords were not stored in the app.

Following the lock-down, Air Canada directly notified affected customers by email, provided instructions for resetting passwords to meet updated complexity requirements, and offered guidance on protecting travel documents. The airline also evaluated and strengthened its password policies.

The incident highlighted the risk airlines and travel companies face when mobile applications allow storage of highly sensitive travel documents alongside standard account credentials. The combination of passport numbers, NEXUS details, and personal identifiers creates a rich target for identity fraud, even in the absence of financial data. Air Canada did not publicly name a third-party vendor as the source of the breach; the attack targeted Air Canada’s own app infrastructure directly.