Theories abound about data breach at Canadian airport

Various theories are being advanced to account for WestJet airline’s “extraordinary” action of removing credit card check-ins from self-service kiosks at airports across Canada.

The Calgary-based airline has done this in at kiosks at 28 Canadian airports.

It’s a self-described “extraordinary step” after Visa and the Greater Toronto Airport Authority sent the company letters about possible fraud involving 150 terminals at Toronto’s Lester B. Pearson International Airport.

WestJet’s actions suggest it may be concerned its own systems are at fault in a security breach, says one Canadian analyst.

“Actions speak louder than words, and since no one is saying anything, actions are certainly interesting,” says Rob Burbach, research analyst at Toronto-based consulting firm IDC Canada. “One scenario is that WestJet actually found a problem in their system that extended beyond Pearson – why else would they do this?”

But WestJet says it is acting with caution, applying the change to its kiosks across the country that are very similar to the ones at Pearson, if not identical.

The public is concerned with the security of their information, and the move is designed to protect customers, says Robert Palmer, manager of public affairs at WestJet.

“We take the protection of our guests’ credit card information very seriously,” he says. “So while the investigation surrounding fraudulent activity is underway, we’re just not going to take a chance.”

WestJet was the only one – of the 13 airlines that serve up boarding passes at the common-use terminals – to stop accepting credit cards. Air Canada didn’t follow suit, saying it feels comfortable the terminals are secure, despite the investigation.

“The GTAA has said publicly that they’ve reviewed and tested their system, and they’re confident it’s safe,” says Peter Fitzpatrick, a spokesperson with Air Canada. “We accept this, and so do most other airlines.”

The Montreal-based airliner will follow the investigations and supply assistance if called upon, he adds. “We’re co-operating and there’s been some back and forth. I’m not allowed to go into that.”

Organizations involved in the investigation have been tight-lipped about the details of the breach.

Other than a letter sent by Visa stating that the possibility of a breach was raised by financial institutions that noticed credit card fraud was correlated with travel through Pearson Airport.

Little has been revealed about the nature of the fraud.

Visa declined an interview request from, instead e-mailing a press release confirming the investigation. The statement reminds cardholders to regularly monitor card accounts for suspicious activity.

It’s not surprising that no one is coming forward with details about the breach, says David Senf, a security analyst with IDC Canada.

The various organizations “don’t have a very good handle on data security. They don’t know where the data leak occurred.”

Possibilities include at the point of swiping the magnetic card, in the transmission of the data through a Wi-Fi network, or even once it was in an airline’s back-end system, Senf adds.

But the reticence of the organizations involved shows that Canada needs to pass laws that require breach notification, analysts say.

Visa’s letter was sent to many airlines, technology companies, and the GTAA, yet no one revealed the breach had occurred until the letter surfaced in the media.

Discretion of whether an information breach is made public should be in the hands of the office of the Privacy Commissioner of Canada, Burbach says.

But that office was equally reticent when asked about the cause of the data breach. It will not be conducting its own investigation at this time, said spokesperson Valerie Lawton.

“We’re talking to the different organizations and we’re working to determine next steps.”

The GTAA will cooperate with the Visa investigation, says spokesperson Scott Armstrong. The authority is responsible for the hardware components of the kiosks, but technology companies operate the software and integration aspects.

“The GTAA component, the hardware, has been checked out to be safe and secure,” he says. “Then you have the software companies and the airliners.”

Armstrong refutes speculation – in some media reports – that
data could have been leaked through weak encryption on a Wi-Fi network.

That is impossible, says. “The self-service kiosks are installed in the floor, and they have cabling that runs through the floor to the back operations rooms. So there’s no Wi-Fi involved.”

He said the airport takes network security very seriously and does use encryption through its IT environment.

Geneva-based IT services company SITA provides the software to the kiosks. The company claims to be the world’s leading provider of communications services to the air transport industry and earned $1.42 billion, according to the company’s Web site.

“SITA is cooperating fully in the investigation into any possibility that credit card fraud can be perpetrated through our AirportConnect CUSS kiosks and software platform at Pearson Toronto International Airport,” Catherine Mayer, vice president of airports services at SITA says in a written statement.

The integration between the kiosks’ hardware and software is done by Annapolis, Md.-based ARINC Inc., a company that provides communications and engineering services. It also received the Visa letter.

But Linda Hartwig, senior director of corporate communications at ARINC downplays the security risk. The kiosks are only being investigated because it is a common area where people use their credit cards in the airport, she says.

“There are many places where the leak could be, the self-service kiosks just happen to be one of those,” she says. “It could be from using your credit card to pay at a restaurant, at an ATM, any possible place you could use a credit card.”

For now, WestJet is reminding travelers they can still use the kiosks. Using a flight reference number or scanning your passport will get your boarding pass printed.

The media interest around this security breach means that the companies involved will likely come forward with new information gleaned from the investigation, analysts say. But until then, expect a lot of finger-pointing and excuses as to why no information is coming forward.

“I would like to know as soon as possible if it was my information being leaked,” IDC’s Senf says.

Share on LinkedIn Share with Google+
More Articles