CheapOair review: Information breach

I am filing this complaint against CheapOair (operated by Fareportal Inc.) regarding a data breach that exposed my personal information and their subsequent failure to notify affected customers as required under PIPEDA.

Background

I am a customer of CheapOair having made a travel booking through their platform. All personal information referenced in this complaint was provided exclusively to CheapOair at the time of booking, including my full name, email address, travel dates, destination, and flight details.

The Phishing Attacks

Following my booking, I was targeted by a series of increasingly sophisticated phishing emails impersonating CheapOair. Upon reviewing my email history, I identified that two prior phishing attempts had been automatically blocked and flagged as spam by Google’s filters. A third and final phishing email, however, successfully bypassed these filters entirely. This was because it was exceptionally accurate in its personal details and convincingly replicated official CheapOair branding and communication style to a degree that made it indistinguishable from a legitimate email. As a result, I clicked on the fraudulent link contained in that email, exposing myself to potential identity theft, unauthorized account access, and ongoing targeted fraud.

CheapOair’s Confirmed Awareness and Failure to Act

Upon discovering the phishing attempt, I contacted CheapOair directly by phone. During that call, a CheapOair representative confirmed that the company was aware that it had been hacked. Despite this confirmed internal knowledge, CheapOair made no proactive effort to notify me or, to my knowledge, any other affected customers. As of the date of this complaint — five or more days after the breach was known to CheapOair staff — I have received no email, no alert, and no communication of any kind warning me that my personal data had been compromised.

This is not a systems failure or administrative delay. CheapOair was aware of the breach and chose to wait for customers to call rather than fulfilling their legal obligation to notify those affected. Had I received timely notification, I would have been vigilant and would not have clicked the fraudulent link. The ongoing risk I now face is a direct consequence of CheapOair’s inaction.

Harm Suffered

While I have not yet experienced direct financial loss, I have suffered the following:

• Exposure to potential identity theft and ongoing targeted fraud as a result of clicking the phishing link
• Significant time and anxiety spent investigating the breach, securing accounts, changing passwords, and monitoring financial statements
• Considerable time spent researching my legal rights, drafting a formal complaint to CheapOair, and preparing this submission
• Ongoing uncertainty and stress regarding what additional personal data may have been compromised and how it may be used

CheapOair’s Violation of PIPEDA Obligations

CheapOair’s conduct represents a potential violation of their mandatory breach notification obligations under PIPEDA, which requires organizations to notify affected individuals of breaches posing a real risk of significant harm without unreasonable delay. A breach sophisticated enough to generate targeted, personalized phishing emails that bypass Google’s spam filters clearly meets this threshold. The first email was received on June 2nd, followed by Five or more days of silence after confirmed internal knowledge of the breach is unreasonable delay by any standard.

What I Am Requesting

I respectfully request that the Office of the Privacy Commissioner investigate the following:

1. Whether CheapOair reported this breach to the OPC as required under PIPEDA
2. The specific date CheapOair became aware of the breach and what internal actions were taken
3. Why affected customers were not proactively notified in a timely manner
4. Whether CheapOair’s data protection practices meet the standard required under Canadian privacy law

I am further requesting that the OPC recommend CheapOair immediately notify all affected customers, and provide impacted individuals with a minimum of two years of credit monitoring at no cost.

Supporting Documentation

I am attaching the following in support of this complaint:

• Formal complaint letter sent to CheapOair dated June 8th, 2026 (I waited 2 days after my interaction to see if they send out any communication based on my feedback)
• Screenshots of the phishing emails I continue to receive. I deleted the first 2 in panic on Saturday, so I cannot recover them, but I am seeing another one that came to my email and was blocked by Google spam filters
• Screenshot of the phishing email that bypassed spam filters, showing accurate personal details and CheapOair branding
• Screenshot of emails received from CheapOair, confirming that they have not sent any email notifying of the data breach.

View 0 more photos