Using a phishing campaign to breach email accounts, hackers reportedly accessed the personal information of a “small number” of American Airlines customers and employees in July, the company announced last week.
The Fort Worth-based airline claimed there was no indication that hackers used any of the personal information accessed in the breach in a way that would be detrimental to customers.
“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” American spokesman Curtis Blessing said.
Blessing stressed that “a very small number of customers and employees’ personal information was contained in those email accounts.
Following the discovery of the phishing campaign in July, American Airlines locked down all breached accounts and hired a third-party cybersecurity forensic firm to investigate the nature and the magnitude of the hack, according to a consumer notification letter dated September 16.
“We are also currently implementing additional technical safeguards to prevent a similar incident from occurring in the future,” the airline said Tuesday.
The carrier’s customers were finally notified last week that compromised personal information could have included their date of birth, driver’s license or passport number, or medical information, according to law enforcement officials in Montana.
American Airlines gave no further information about the nature of the compromised information or how many customers were exposed to the hack, but it did offer impacted customers two years of identity theft protection coverage.
“We regret that this incident occurred and take the security of your personal information very seriously,” American’s chief privacy and data protection officer, Russell Hubbard, said in the letter.
The world’s largest airline has faced several challenges this year, including an industry-wide pilot shortage, scheduling conflicts, a picketing campaign by perturbed pilots, and an array of flight cancellations.
While hacks are typically uncommon for large-scale companies, Uber and Take-Two Interactive recently experienced similar breaches, leaving many stakeholders concerned about how secure their personal information is in the hands of businesses.