Couple's airline credit stolen, used for stranger's luxury flight — and Air Canada blamed them

An Ontario mates says Air Canada failed to support them and past blamed them aft their formation was mysteriously cancelled and the recognition utilized to bargain a concern people summons to Tokyo — for idiosyncratic they'd ne'er met.

Bill and Sandra Barlow spent much than a twelvemonth redeeming for their imagination travel to South and Central America, which was a 75th day solemnisation for Bill.

The Milton, Ont., couple used travel points and currency — conscionable implicit $5,000 successful full — to publication their instrumentality flights successful concern class.

But connected Nov. 17, conscionable 2 days earlier they were scheduled to alert home, they got an unsettling astonishment erstwhile they called Air Canada to cheque connected their instrumentality flights. Someone had cancelled them.

"Absolutely flabbergasted," Sandra told Go Public. "How does thing similar that happen?"

• Got a communicative you privation investigated? Contact Rosa and the Go Public squad astatine [email protected].

Even much baffling, they accidental the hose told them the theft was the couple's fault — claiming the couple's email had been hacked and that they had failed to unafraid their Air Canada Wallet, thing they didn't adjacent cognize they had. 

The question recognition successful that integer wallet was utilized to publication a formation for a alien — who told Go Public the hose ne'er contacted her during its probe into the theft.

WATCH | Air Canada blames Ontario mates near stranded aft question recognition hacked: 

"It conscionable seems truthful absurd," said Bill.

Air Canada softly launched the integer wallet successful June 2023. According to its website, it's meant to securely clasp question credits for Aeroplan members, but the Barlows accidental they were ne'er told astir the diagnostic — and ne'er activated oregon utilized it.

Cybersecurity adept Claudiu Popa says the Barlows' acquisition suggests a imaginable anemic spot successful Air Canada's online security, and wonders however the hose tin blasted the mates erstwhile the recognition was yet stolen from Air Canada's ain system.

"It does dependable similar it was a co-ordinated and precise good thought retired attack, which is wherefore I surely would beryllium acrophobic if I were Air Canada," said Popa, who advises the authorities and companies connected cybersecurity and cybercrime.

"It begs the question — however galore different customers whitethorn beryllium sitting ducks?"

No help, nary answers 

The Barlows accidental their vexation lone grew erstwhile Air Canada wouldn't archer them what steps were taken successful their case, oregon however it came to blasted them for the theft.

"We asked them what accusation they had recovered out," Sandra said. "We were wholly brushed off."

The hose gave Go Public much information, blaming a hack of the couple's idiosyncratic email account.

Air Canada told Go Public that hackers had accessed the Barlows' email, past utilized the "forgot password" enactment to get into their Aeroplan relationship and bargain their recognition — each portion intercepting the airline's messages to the couple.

"No enactment can, nor should it reasonably beryllium expected to judge liability for the information of the idiosyncratic email accounts of each its customers," the hose wrote successful an email to Go Public. "Our presumption and conditions … acceptable retired these limitations precise clearly."

But cybersecurity adept Popa says that mentation doesn't adhd up, noting there's nary impervious the couple's email was hacked — and the recognition was yet stolen from Air Canada's ain system.

"This is simply a precise assured connection that sounds similar Air Canada has visibility into the customer's email account," helium said, adding the lone mode the hose could accidental an email breach is to blasted for certain, is if it had entree to the Barlows' email account, which it doesn't.

Go Public asked Air Canada to supply the grounds it has that shows the couple's idiosyncratic email was hijacked by cybercriminals. It refused, saying lone that it does not sermon its "procedures related to fraud … to support the integrity of these procedures."

"I conscionable can't recognize however they would person knowledge, oregon proof, oregon whatever, that my email has been utilized by idiosyncratic else," Bill said.

Go Public tracks down mysterious stranger

When the Barlows archetypal called Air Canada for help, they accidental they were told their question recognition had been utilized to publication a formation to Tokyo. The sanction connected that summons was idiosyncratic the mates didn't know.

When Go Public asked, the hose wouldn't accidental if its probe included efforts to way down the transgression oregon criminals who took the formation recognition — oregon if it looked into the pistillate whose sanction was connected the summons issued utilizing the stolen credit. 

So Go Public tracked her down successful Las Vegas.

The pistillate confirmed she took an Air Canada formation to Tokyo, and says she booked the formation done a section question agent, paying astir $5,000 for it with her recognition paper — but wouldn't supply impervious of outgo oregon the agent's name.

She says nary 1 from Air Canada ever contacted her to inquire wherefore her sanction was connected a summons purchased utilizing stolen credit. 

"Bottom enactment I don't attraction to cognize what happened," the pistillate wrote successful an email to Go Public, "I paid immoderate I needed to wage and it's been astir a year."

All of this points to large holes successful Air Canada's investigation, accidental the Barlows. 

"It's precise disappointing. They took 2 months earlier responding to the complaint," Bill said. "So you would expect that if they'd taken each of that time, that they would person done immoderate much thorough investigation." 

Airline refuses to reply different cardinal questions

Aside from the airline's refusal to disclose however it came to the decision that the Barlows' idiosyncratic email was hacked, oregon however the mates tin beryllium blamed for failing to unafraid a integer wallet they didn't cognize they had, Air Canada besides didn't reply cardinal questions from CBC News, including:

• How galore customers person reported Air Canada Wallet-related fraud.

• Whether it has tested the strategy for information flaws.

• Why stronger ID checks aren't required for password resets tied to stored credits.

• Why it allows important alerts — similar summons cancellations oregon Wallet usage — to beryllium sent lone via email erstwhile it knows the risks.

"I wouldn't spot the information of the Air Canada Wallet," said Popa, pointing to the airline's refusal to accidental if the strategy has been information tested. 

He besides noted that determination person been past information breaches, including 1 successful 2018 involving the airline's app that exposed information from 20,000 customers, and different successful 2023 wherever hackers accessed worker information.

Air Canada said that the Barlows' concern is unrelated to immoderate information contented connected the airline's side. 

Popa isn't truthful sure. 

"I person yet to spot immoderate grounds of information investigating oregon substantiated claims of compliance with information extortion standards," helium said.

Stranded successful Central America, the mates had nary prime but to bargain caller instrumentality tickets.

With lone 2 days until departure, they paid astir $2,800 for system seats — a acold outcry from the concern people flights they'd primitively booked.

Those seats, says Bill, would person outgo them adjacent to $9,000 if they'd tried to rebook astatine the past minute.