American Airlines Warns Customers Of Data Breach

American Airlines is once again at the centre of a data breach incident, after it notified customers last Friday that their data has been compromised.

Two months after the airline first discovered it had been hacked, it notified customers last Friday (16th September) that an “unauthorised actor” had obtained access to names, birthdays, mailing and email addresses, phone, driver’s license and passport numbers, and “certain medical information” by compromising employee email addresses, BleepingComputer reported.

“In July 2022 we discovered that an unauthorised actor compromised the email accounts of a limited number of American Airlines team members,” the airline told affected customers,” it said in a letter to customers.

Data breach

“Upon discovery of the incident, we secured the applicable email accounts and engaged a third party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident,” it added.

The airline said it would offer affected customers free two-year membership of Experian’s IdentityWorks to help with identity theft detection and resolution, BleepingComputer reported.

“Although we have no evidence that your personal information has been misused, we recommend that you enroll in Experian’s credit monitoring,” American Airlines added.

“In addition, you should remain vigilant, including by regularly reviewing your account statements and monitoring free credit reports.”

Andrea Koos, American Airlines’ senior manager for corporate communications told BleepingComputer that the employees’ accounts were compromised in a phishing campaign but refused to reveal how many customers and employees were affected, instead saying that it was a “very small number.”

Previous breaches

The airline has suffered a number of breaches previously.

In March 2021 American Airlines among the casualties when air tech giant SITA confirmed that hackers breached its servers and gained access to the Passenger Service System (PSS) used by multiple airlines worldwide, including American Airlines.

Then seven years ago both American Airlines and United Airlines confirmed numerous user accounts on both airlines had been hijacked in late December 2014, with the thieves in some cases taking advantage of user credits to book free trips or upgrades.

That 2014/2015 incident was not the result of hacks on the airlines own systems – the thieves had obtained user credentials such as usernames and passwords elsewhere, the companies said.

American said at the time that about 10,000 accounts were compromised, with two used to book free travel or an upgrade.

Airline targets

Security expert and CEO of MyCena Security Solutions, Julia O’Toole, noted that airlines have been a key target for cybercriminals for many years now and in just the last couple of months there have been attacks on TAP Portugal, Pegasus and now American Airlines.

“The reason airlines are such a prime target, is because attackers have many different avenues to target and damage them,” said O’Toole. “Firstly, there is a huge opportunity to access and steal critical data, like passports, PII and credit cards. While secondly, flaws in aviation systems, like the WiFi vulnerability that was announced last week, can put the physical safety of aeroplanes at risk.”

“In this instance against American Airlines, it looks like the attackers gained access through phishing, one of the easiest, yet most effective, attacks to execute,” said O’Toole. “When it comes to defending against phishing, employee awareness is good, but clearly not enough to prevent all attacks.”

“As a result, organisations should look towards encryption to improve their defences,” said O’Toole. “This involves encrypting employee access credentials, so they don’t even know them.”

“This means credentials cannot be stolen or phished,” said O’Toole. “Furthermore, when organisations segment their access, criminals cannot bring their whole network down with one set of credentials.”