• An “unauthorized actor” received customers’ personal information from an American Airlines security breach, including names, birthdays, mailing and email addresses, phone numbers, driver’s licenses, passport numbers, and “some medical information.”
  • According to a sample letter from the company dated September 16th, the airline discovered the breach in July and launched an investigation with a third-party security cybersecurity agency.
  • American Airlines offers two free years of Experian’s identity theft protection package to anyone whose data was exposed.

American Airlines is notifying some of its customers of a data breach in which an “unauthorized actor” obtained names, birthdays, mailing and email addresses, phone numbers, driver’s licenses and passport numbers, and “certain medical information” via compromising staff email addresses.

American Airlines security breach was discovered back in July

The airline identified the compromise in July and initiated an investigation with a third-party security cybersecurity firm, according to a sample letter from the company dated September 16th.

Customer Information Was Stolen In A Recent American Airlines Security Breach
Information stolen from the American Airlines security breach includes passport numbers, and “certain medical information”

The Verge inquired of the corporation how long the attackers had access to the email accounts prior to the American Airlines security breach being revealed. In response, airline spokesperson Andrea Koos issued a statement with a few specifics about what transpired.

Koos stated, “American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts.”

Customer Information Was Stolen In A Recent American Airlines Security Breach
The company claims that the personal information stolen has not yet been exploited in any way

The firm claims it has “no evidence to suggest” that customers’ personal information has been exploited and is “currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.”

Unfortunately, the time gap between discovery and disclosure is not unusual. Samsung recently announced a breach over a month after discovering it, while the public heard of a 2020 hack on the federal court system earlier this year.

Customer Information Was Stolen In A Recent American Airlines Security Breach
It is not the first time a company delayed their disclosure of the discovery of a security breach

The massive Uber security breach causes an uproar in the cybersecurity community


While it’s reasonable that investigations might take time, especially selecting who to tell, it does mean that criminal actors have access to people’s information for a long time before they even realize there’s an issue. In this case, the company is providing anyone whose data was compromised from the American Airlines security breach with two complimentary years of Experian’s identity theft protection program.

Previous post

NVIDIA announced the new NeMo and BioNemo large language models at GTC 2022

Next post

The insurance of insurers