Earlier today, American Airlines became the latest big-name brand to announce a data breach, after an unauthorized actor compromised employee inboxes.
A statement released from the aerospace giant confirmed that the source of the incident was a phishing attack which “led to the unauthorized access to a limited number of team-member mailboxes.”
The airline explained that “a very small number of customers’ and employees’ personal information” was contained in the accessed emails, suggesting that its attackers were not able to pivot to corporate data stores.
On Friday, American Airlines sent a breach notification letter to customers, as seen by Infosecurity, which noted that the incident actually took place in July this year.
“Upon discovery of the incident, we secured the applicable email accounts and engaged a third-party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident. Our investigation determined that certain personal information was in the email accounts. We conducted a full eDiscovery exercise and determined some of your personal information may have been contained in the accessed email accounts,” it explained.
“We have no evidence to suggest that your personal information was misused. Nevertheless, out of an abundance of caution, we wanted to provide you with information about the incident and protective measures you can take.”
Threat actors have potentially gained accessed to personal information including: names, dates of birth, mailing and email addresses, phone numbers, driver’s license and passport numbers, and medical information.
As a means of compensation, the airline is offering those affected two years’ worth of identity theft protection from Experian.
It has been reported that this is far from the first time American Airlines has been put on the back foot by malicious third parties.
Similarly in 2015, it was reported that hackers broke into around 10,000 customer accounts in search of frequent flyer miles and other monetizable assets, while in 2021 its loyalty program was compromised by a breach at third-party IT provider SITA.