American Airlines learned it was breached from phishing targets

American Airlines


American Airlines says its Cyber Security Response Team found out about a recently disclosed data breach from the targets of a phishing campaign that was using an employee's hacked Microsoft 365 account.


As the airline said in filings with the Office of the New Hampshire Attorney General, after receiving these phishing reports, American's CIRT discovered unauthorized activity in the company's Microsoft 365 environment.


The investigation also revealed the attacker accessed multiple employees' accounts (also compromised via phishing attacks) and used them to send more phishing emails to targets American has not yet disclosed.


The company added that the team members' accounts also provided access to employee files stored on the Sharepoint cloud-based service.


"Through its investigation, American was able to determine that the unauthorized actor used an IMAP protocol to access the mailboxes. Use of this protocol may have enabled the unauthorized actor to sync the contents of the mailboxes to another device," a legal notice describing the security incident explains.


"American has no reason to believe that syncing the contents of the mailboxes was the purpose of the access. Based on the fact, it appears the unauthorized actor was using IMAP protocol as a means to access the mailboxes and send phishing emails." 


While the airline believes the risk to affected individuals is remote, it notified impacted individuals of the data breach starting on September 16th.


As American disclosed in the notification letters, personal information exposed in the attack may have included employees' and customers' names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, or certain medical information.


Data breach affects over 1,700 customers and employees


When asked for more details regarding this incident, American Airlines' Sr. Manager for Corporate Communications Andrea Koos refused to share the exact number of individuals affected by this data breach, instead saying it was a "very small number."


However, as the company later disclosed in a filing with the Office of the Maine Attorney General, the data breach impacted 1,708 American Airlines customers and team members. 


The company says it will offer affected individuals two years of Experian's IdentityWorks free membership with identity restoration services, triple bureau monitoring, and up to $1 million in identity theft insurance to help with identity theft detection and resolution.


"Although we have no evidence that your personal information has been misused, we recommend that you enroll in Experian's credit monitoring," American Airlines added.


"In addition, you should remain vigilant, including by regularly reviewing your account statements and monitoring free credit reports."


The airline was hit by another data breach in March 2021 when global air information tech giant SITA said hackers breached its servers and gained access to the Passenger Service System (PSS) used by multiple airlines worldwide, including American Airlines.


American Airlines is the world's largest airline by fleet size (with over 1,300 aircraft units in its mainline). It has more than 120,000 employees and operates almost 6,700 flights daily to roughly 350 destinations in over 50 countries.