American Airlines recently suffered a data breach, threat actors compromised a limited number of employee email accounts.
The intruders had access to sensitive personal information contained in the accounts, but the company’s data breach notification states that it is not aware of any misuse of exposed data.
The security breach was discovered on July 5th, the airline promptly adopted the measure to mitigate the incident and secure the impacted email accounts. Then American Airlines launched an investigation with the help of a leading cybersecurity forensic firm.
“In July 2022 we discovered that an unauthorized actor compromised the email accounts of a limited number of American Airlines team members. Upon discovery of the incident, we secured the applicable email accounts and engaged a third-party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident.” reads the data breach notification sent to the impacted customers (Source Bleeping Computer). “Our investigation determined that certain personal information was in the email accounts. We conducted a full eDiscovery exercise and determined some of your personal information may have been contained in the accessed email accounts. We have no evidence to suggest that your personal information was misused. Nevertheless, out of an abundance of caution, we wanted to provide you with information about the incident and protective measures you can take.”
Exposed data includes name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information provided by the impacted individuals.
The company announced that it is implementing additional technical safeguards to prevent a similar incident from occurring in the future. American Airlines is offering a complimentary two-year membership of Experian’s IdentityWorksSM to protect the identity of the impacted users.
BleepingComputer reported that the employees’ accounts of American Airlines were compromised in a phishing campaign.
(SecurityAffairs – hacking, data breach)