American Airlines logo on the wall showing data breach from phishing campaign

American Airlines Data Breach Linked to a Phishing Campaign Exposed Sensitive Customer and Employee Personal Information

Hackers gained access to sensitive customer and employee personal information after compromising American Airlines in a data breach attributed to a phishing campaign.

The company filed a data breach notification letter with Montana’s State Attorney General’s Office on September 16, disclosing that the breach was discovered in July, approximately two months earlier.

American Airlines also notified customers, adding that only a small number was affected and the data had not been misused.

With its largest base at Dallas Fort Worth International Airport, American Airlines makes over 6,500 daily flights across 350 destinations in 50 countries. It also employs about 120,000 workers and maintains the world’s largest fleet of 1,300 airplanes.

Attackers breached email accounts to access personal information

An investigation by American Airlines determined that hackers likely accessed sensitive information of some customers and employees, including names, email addresses, passport numbers, date of birth, driver’s license numbers, mailing addresses, phone numbers, and medical information.

However, the company said only a “very small number of customers” were impacted, and there was no evidence that the attackers have misused the stolen information.

“While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support.”

American Airlines said it responded by securing employee email accounts compromised in the phishing campaign and hired a cybersecurity firm to investigate the data breach. Additionally, the airlines took “additional technical safeguards to prevent a similar incident from occurring in the future.”

Data breach victims will have access to 24 months of complimentary credit monitoring services with Experian IdentityWorks. The service protects users from identity theft fraud and facilitates the resolution of fraud cases. Additionally, the Fort Worth, Texas-based airline operator advised customers to remain vigilant for potential fraud by monitoring their account statements for suspicious activity.

“The reputational damage from this breach will likely far exceed the out-of-pocket losses, especially in an industry where proper precautions and safety are paramount in customers’ selection of which airline they fly with,” John Gunn, CEO at Token.

American Airlines’ data breach was attributed to a phishing campaign

The airlines disclosed that hackers gained access to personal information after breaching employee email addresses in a phishing campaign.

“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” American Airlines spokesman Curtis Blessing said. “A very small number of customers and employees’ personal information was contained in those email accounts.”

However, the spokesperson did not disclose how many customers were impacted by the data breach or the identity of the threat actor behind the phishing campaign.

Airlines are “irresistible targets” of cyber attacks

Unsurprisingly, air transport companies are prime targets of cyber-attacks because of the volume and value of updated personal information they collect and store.

“Given the troves of personal information stored within large enterprise organizations, they will always be a likely target for cybercriminals,” Erfan Shadabi, a cybersecurity expert with Comforte AG. “With an ever-growing attack surface, building just another wall around the organization’s network or a segment of sensitive data is not the best way forward.”

Back in 2021, American Airlines suffered a third-party data breach after hackers compromised global technology company SITA. The data breach affected approximately 2.1 million customers from dozens of airlines that use the Passenger Service System for transactions. And in 2022, Indian airline SpiceJet suffered a ransomware attack that grounded flights causing widespread disruptions.

According to Eurocontrol’s Aviation Under Attack From a Wave of Cybercrime report, airlines were irresistible targets, facing 61% of all cyberattacks targeting the aviation industry in 2020. The companies also lost approximately $1 billion annually from fraudulent websites.

“In the end, the most important thing to do is to protect the employee data, rather than the borders around that information,” Gunn added. “With modern solutions such as format-preserving encryption or tokenization, you can render useless to hackers any PII (including names, addresses, and IDs) or other data that’s considered sensitive, even if they manage to penetrate strengthened perimeters and actually get their hands on it.”