American Airlines announced on Friday, September 16, that an unauthorized party gained access to “a limited number” of its employees’ email accounts in July, exposing customers’ personal information in the affected accounts.
In a letter to customers, the company said it quickly secured the compromised email accounts and contacted a third-party cybersecurity forensic firm to look into the incident.
American Airlines insists there’s no evidence that the compromised information has been “misused.” Nonetheless, the company has taken steps to help customers track potential exploitation of their data and prevent identity theft.
Leaked Personal Data
According to American Airlines, the leaked personal information may include customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s licenses, and medical information.
The airline said it was implementing “additional technical safeguards” to prevent a similar breach in the future. Meanwhile, American Airlines has offered affected customers a two-year membership of Experian’s IdentityWorks to protect them from identity theft “out of an abundance of caution.”
The company urged customers to remain alert for any suspicious financial activity.
American Airlines has not revealed how many customers were affected by the breach. A spokesperson for the company told Bleeping Computer that it was a “very small number.”
Social Engineering Scams on the Rise
In a statement released to the media, American Airlines said a phishing campaign led to the data breach.
“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” the statement reads.
There has been an uptick in social engineering scams this year. Using social engineering techniques, threat actors have breached several high-profile companies, including Microsoft, Okta, and, more recently, Uber.
If you were affected by the American Airlines incident, keep an eye out for identity theft and potential phishing attacks. Threat actors can use sensitive information, such as driver’s license numbers, passport numbers, and medical information, to orchestrate convincing scams.