A “limited number” of American Airlines’ employees’ email accounts were compromised by an “unauthorized actor,” who had potential access to a range of those employees’ personal data, the company said in a disclosure Sept. 16.
The notice said the company discovered the breach in July, and that the hacker may have had access to employees’ name, date of birth, mailing address, phone number, email address, driver’s license number, passport number and “certain medical information you provided,” the company said in the notice signed by Russell Hubbard, American Airlines deputy general counsel and chief privacy and data protection officer.
Andrea Koos, senior manager for corporate communications for American Airlines, told CyberScoop in an email that the company is “aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts.”
The breach notice follows a meeting the White House held last week with airline and other aviation executives to discuss the cybersecurity threat facing the industry. Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging tech, led that meeting.
The gathering of aviation officials was the Biden administration’s third classified threat briefing with leaders of critical infrastructure sectors in the past several months. Neuberger is spearheading a sector-by-sector effort to close cybersecurity gaps in critical infrastructure and led a similar classified threat briefing for the rail sector just weeks ago.
A senior White House official said last week that the administration “brought in industry leaders from the aviation sector to share sensitive information that provides important context to them, requiring them to increase their cybersecurity and receive feedback on U.S. government changes to mandate certain cyber practices for the sector.”
“Malicious cyber actors are always trying to exploit U.S. critical infrastructure,” the official added.
Cyberthreats to airlines and airports have become a growing concern for administration officials and experts alike. While the American Airlines hack appears to have affected mostly employee data, analysts have warned attacks that endanger passengers are possible.
“Both airports and aircraft have networks designed to allow passengers to access the internet,” Jim Richberg, Fortinet’s field CISO for the public sector, told StateTech magazine earlier this month. “Computer and navigation systems could be held for ransom or infiltrated with other malware to slow or disrupt travel and potentially put human lives at risk in a worst-case scenario.”
The company said it has contracted a third-party cybersecurity firm to investigate the full scope of the incident, but so far has “no evidence to suggest [the] information was misused.”
Employees were offered a two-year membership in Experian’s IdentityWorks identity theft monitoring program, the notice said.
Updated, 9/20/22: To include a statement from American Airlines.