American Airlines experienced a breach of its customer and employee data in early July. The company announced the hack more than two months later in a letter to affected customers sent on Friday, and first shared as a PDF by Bleeping Computer.
“The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided,” the airline wrote to customers. Though, the company claimed to have “no evidence” that customers’ personal information has been misused.
American Airlines also said that, upon discovery of the issue, the company secured the impacted email accounts and hired a third party to investigate. The investigation determined that the breach was confined to a “limited number” of employee email accounts.
The airline did not respond to Gizmodo’s questions about how many accounts or people were impacted by the incident. However, in an emailed statement, a company spokesperson said:
American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts. While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support. We are also currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.
Like other recent hacks, this one seems to have originated through employee phishing, since the breach began with airline worker email accounts. In the massive August Twilio breach that compromised 10,000 sets of login credentials, hackers sent fraudulent phishing text messages styled to look like Okta’s security protocol.
And, in last week’s Uber security breach, a hacker allegedly posed as a member of the company’s IT team via text to obtain employee credentials. The moral of the story: It’s probably a good time to be extra skeptical of your texts and emails.
In response to the data breach, American Airlines is offering two years of free Experian identity theft and credit monitoring to impacted customers. The company further encouraged its customers to “remain vigilant,” by keeping tabs on credit reports and financial accounts.
This isn’t the first time the airline has had a data security issue. In March 2021, American Airlines was one of many companies impacted by a hack of SITA’s passenger system. SITA is one of the biggest aviation tech service companies worldwide, working with about 90% of airlines.
Update 9/20/2022, 11:53 a.m. ET: This post has been updated with a statement from American Airlines.