Air Canada data Leak could result in hefty fine and lead to claims

Air Canada has reported that their app has been subject to a data breach resulting in the theft of data from around 20,000 accounts.  It states that it detected unusual activity between 22 and 24 August 2018 and as a precaution locked all 1.7 million accounts held with the company.  The source of the breach is currently unreported.

Whilst Air Canada state that their users’ credit card details were encrypted, it has warned that profile details are at risk of having been copied.  These include, passport number, date of birth, nationality and country of residence.

There is a possibility that Air Canada could be fined by the Information Commissioner’s Office under new provisions under the General Data Protection Regulation (‘GDPR’) if, after investigating the breach, it is considered that the airline had failed in their obligation to hold their customer’s data securely.  Whilst Air Canada is based outside of the European Union, the GDPR applies globally to a data controller or processer if the data subjects are in the Union and if the controller or processor is offering goods and services to those in the Union (in this instance, offering flights to those in the United Kingdom priced in sterling).

Customers of Air Canada whose data was affected by this breach might be able to bring a civil claim against the company, particularly if they have suffered consequential damage and distress.  Claims could potentially be brought for breach of the GDPR, misuse of private information, breach of confidence, negligence and/or breach of contract.

In light of the breach, Action Fraud have warned that theft of passport data can lead to severe consequences.  Some companies, such as insurance firms, may request the data but not the physical document.  They report that it is additionally possible, in some cases, to obtain government issued ID with this information.

Whilst the loss of passport data perhaps makes this a unique breach, it follows a long line of recent data breaches suffered by large companies such as Ticketmaster and Dixons Carphone.

Click here to see how Brett Wilson LLP’s specialist solicitors can assist you if your personal data has been breached.