The airline has warned that users who had entered their passport details into the product may have had that data stolen. Experts warn that the theft of such information would pose a serious ID fraud risk.
The firm has also been criticized for its relatively weak password system.
Although it is not clear how the breach occurred, one cyber-security specialist highlighted that Air Canada’s website still says account passwords should contain between six and 10 characters and that it only accepts letters and numbers, but no other symbols.
“Many users will choose short and easily guessable passwords,” commented Amit Sethi, a security consultant at Synopsys. “Moreover, users that want to use strong passwords cannot do so.”