American Airlines on Friday sent a letter to its customers informing them that it discovered that a bad actor had compromised the email accounts of some of the company’s employees in July, an incident that led to the personal information of customers and employees potentially exposed and accessed.
In the letter, American Airlines said upon discovery of the incident, the company secured the affected email accounts and hired a third-party cybersecurity forensic firm to determine the nature of the incident.
It’s possible that personal information potentially accessed by the threat actors may have included the names of customers and employees, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport number, and certain medical information.
American Airlines insists that there’s no evidence to date that any of the personal information was misused by the threat actor. The company also offered a two-year free membership to Experian’s IdentityWorks to help customers with identity issues.
While there was apparently no credit card information included in the recent American Airlines breach, much of the information that was stolen would be very useful to an identity thief, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said name, address, driver's license, and passport information are all gold for a malicious actor trying to impersonate someone else.
“It’s good to see that American Airlines is reaching out to their affected customers and is offering support,” Parkin said. “Breaches like this show that the user base is still a primary attack surface. While there has been something of an uptick in technical exploits, going after application or OS vulnerabilities, the users are still a favorite target. Organizations spend a lot of time and effort trying to turn their users from part of the attack surface into part of the security stack, as we all should be. But it’s not easy. For most people, getting their job done is the No. 1 priority, which puts cybersecurity farther down the as a priority.”
Pete Starr, global director of sales engineering at Cyren, added that phishing remains an unsolved cybersecurity problem for businesses and individuals. Starr said the American Airlines case is another example of cybercriminals using successful credential harvesting campaigns to launch subsequent and more damaging attacks.
“Attacks like this only serve to reinforce the understanding that prevention-based email security approaches and traditional user security training have failed,” Starr said. “Organizations need additional layers of technology and processes to continually hunt for targeted email attacks like spear phishing and business email compromise to quickly and automatically eliminate the threats once identified. Security training must evolve so it can be applied in real-time and to real attacks.”