The breach was disclosed by AA in a letter to victims on September 16, describing the breach as relating to an authorized representative breaching the email accounts of a limited number of AA team members in July. The airline said that upon discovering the incident, it secured email accounts and engaged a third-party cybersecurity forensic evidence company to investigate the nature and scope of the incident.
The investigation was inconclusive, and it found that some personal information was in the email accounts but there was no evidence of personal information misuse. However, the airline added that out of great caution, it was informing potential victims of the breach.
Information that could potentially be stolen includes name, date of birth, postal address, phone number, email address, driver’s license number, passport number, and/or certain medical information. A two-year membership to Experian IdentityWorks is offered to all those who are likely to be exposed to identity theft and to resolve identity theft.
While the data breach vector was not immediately disclosed by the AA, a spokesperson for the airline told Bleeping Computer that accounts were compromised in a phishing campaign and that “a very small number” of team members and customers were affected.
This is not the first time that American Airlines has been targeted in a cyber attack, as Chinese hackers have compromised AA and airline booking company Saber Corp. in 2015, resulting in the potential for millions of records to be stolen.
Commenting on the news, John John, CEO of Tokenize Inc. SiliconANGLE said, “The reputational damage from this infringement is likely to outweigh out-of-pocket losses, particularly in an industry where proper precautions and safety are paramount in customers’ choice of airlines to fly with.
Eric Kron, security awareness advocate at KnowBe4 Inc. Security Awareness Training says, “Email accounts are still a preferred target for cybercriminals and this is just another example of email phishing allowing them to take over some accounts.”
“While the number of individuals affected by this may be limited, organizations such as airlines collect and carry relatively sensitive information that can have a significant impact on these victims,” Crone explained. “While the airline states that there has been no misuse of data so far with knowledge of it, it has been a relatively short period of time and it is not always known whether or not this data has been misused, so this is not very convenient for potential victims.”