EXECUTIVE SUMMARY:
The US airline, which reportedly owns the world’s largest fleet of aircraft, has fallen prey to a phishing campaign. The campaign ultimately fooled American Airlines’ employees.
American Airlines breach
Americans Airlines stated that the personal information of a “very small number” of employees and customers was affected by an unauthorized party’s compromise of the company’s business email accounts.
“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” – American Airlines
Information obtained by hackers includes driver’s license details, passport numbers, dates of birth, and medical information. Thus far, analysts do not believe that the stolen data has been misused or sold, although attackers may be waiting for a lower-profile sales opportunity.
Keeping customers secure
Additional safeguards have been put in place to prevent future attacks, says the airline. The company secured breached accounts and hired a cyber security firm to assist with an investigation.
“We regret that this incident occurred and take the security of your personal information very seriously,” wrote Chief Privacy and Data Protection Officer, Russell Hubbard, in a letter to affected customers. American Airlines is offering two years of identity theft monitoring services to victims.
Are airlines more prone to data breaches than other sectors?
Vicious phishing attacks are becoming increasingly common across nearly all sectors of the economy, and the aviation industry is no stranger to data breaches.
In 2020, nine million EasyJet passengers were affected by a data breach, which exposed the credit card details belonging to over 2,000 individuals. The airline waited for four months before notifying customers. After litigation, customers were entitled to compensation.
Last year, Malaysia Airlines suffered a security incident affecting those who participated in the airline’s frequent flyer program. The breach reportedly involved a third-party IT service provider. No evidence pointed to data misuse, however, as a precaution, the company did request for passengers to change account passwords.
Because airlines store information that can be used to orchestrate identity theft, airlines represent an attractive target for cyber criminals. Passport numbers, full names, and dates of birth allow criminals to pursue illegal activities such as fraudulently taking out loans in someone else’s name or crossing international borders.
Fending off phishing
The commercial availability of ‘phishing kits’ means that nearly anyone can organize a phishing campaign, regardless of technical capabilities. In the modern era, phishing is a DIY activity. Take steps to prevent phishing attacks. Start with the following:
1. Educate employees. Phishing awareness training can protect your employees, customers and your business from email fraud.
2. Consider password managers. Using a password manager can help defend against brute-force accounts with weak passwords, along with credential stuffing.
3. Endpoint security. The increased use of cloud services and personal devices in the workplace have introduced new endpoints that may not be fully protected. It’s essential to monitor endpoints for security threats and to implement rapid remediation and response for compromised devices.
4. Deploy email security. Email filtering solutions can block malware, detecting malicious links, attachments, spam content and language that may indicate a phishing threat.
5. Conduct phishing simulations. Request for your IT department to send out a fake phishing email and to assess responses.
6. Limit access to high-value systems and data. Privileged user accounts are attractive to cyber criminals, as access potentially allows for lateral movement across a network.
Learn more about essential phishing prevention best practices here. For the top 15 phishing attack statistics, see CyberTalk.org’s past coverage.
Lastly, to receive cutting-edge cyber security news, interviews, expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.
