American Airlines Suffers Data Breach, Customers’ Data Leaked

American Airlines airplane taking off

American Airlines announced on Friday, September 16, that an unauthorized party gained access to “a limited number” of its employees’ email accounts in July, exposing customers’ personal information in the affected accounts.

In a letter to customers, the company said it quickly secured the compromised email accounts and contacted a third-party cybersecurity forensic firm to look into the incident.

American Airlines insists there’s no evidence that the compromised information has been “misused.” Nonetheless, the company has taken steps to help customers track potential exploitation of their data and prevent identity theft.

Leaked Personal Data

According to American Airlines, the leaked personal information may include customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s licenses, and medical information.

The airline said it was implementing “additional technical safeguards” to prevent a similar breach in the future. Meanwhile, American Airlines has offered affected customers a two-year membership of Experian’s IdentityWorks to protect them from identity theft “out of an abundance of caution.”

The company urged customers to remain alert for any suspicious financial activity.

American Airlines has not revealed how many customers were affected by the breach. A spokesperson for the company told Bleeping Computer that it was a “very small number.”

Social Engineering Scams on the Rise

In a statement released to the media, American Airlines said a phishing campaign led to the data breach.

“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” the statement reads.

There has been an uptick in social engineering scams this year. Using social engineering techniques, threat actors have breached several high-profile companies, including Microsoft, Okta, and, more recently, Uber.

If you were affected by the American Airlines incident, keep an eye out for identity theft and potential phishing attacks. Threat actors can use sensitive information, such as driver’s license numbers, passport numbers, and medical information, to orchestrate convincing scams.

Check out our phishing and social engineering guides to learn more about these malicious schemes.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.