American Airlines has become the latest big-name brand to announce a data breach in recent days, after an unauthorized actor compromised employee inboxes.
The aerospace giant confirmed in a statement that the source of the incident was a phishing attack which “led to the unauthorized access to a limited number of team-member mailboxes.”
The airline said that “a very small number of customers’ and employees’ personal information” was contained in the accessed emails, suggesting that its attackers were not able to pivot to corporate data stores.
A breach notification letter sent to customers by American Airlines on Friday and seen by Infosecurity, noted that the incident actually took place in July this year.
“Upon discovery of the incident, we secured the applicable email accounts and engaged a third-party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident. Our investigation determined that certain personal information was in the email accounts. We conducted a full eDiscovery exercise and determined some of your personal information may have been contained in the accessed email accounts,” it explained.
“We have no evidence to suggest that your personal information was misused. Nevertheless, out of an abundance of caution, we wanted to provide you with information about the incident and protective measures you can take.”
The information potentially accessed by the threat actors includes: names, dates of birth, mailing and email addresses, phone numbers, driver’s license and passport numbers, and medical information.
The airline is offering those affected two years’ worth of identity theft protection from Experian.
This is far from the first time American Airlines has been put on the back foot by malicious third parties.
In 2015, hackers broke into around 10,000 customer accounts in search of frequent flyer miles and other monetizable assets, while in 2021 its loyalty program was compromised by a breach at third-party IT provider SITA.