American Airlines has notified customers of a recent data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information.

In notification letters sent on Friday, September 16, the airline explained that it had no evidence that the data exposed had been misused.

American Airlines discovered the breach on July 5, immediately secured the affected email accounts, and hired a forensic cybersecurity firm to investigate the security incident.

“In July 2022, we discovered that an unauthorized actor had compromised the email accounts of a limited number of American Airlines team members,” the airline told affected customers. [PDF].

“Upon discovery of the incident, we secured the affected email accounts and engaged a third-party forensic cybersecurity company to conduct a forensic investigation to determine the nature and extent of the incident.”

Personal information exposed during the attack and potentially accessed by threat actors may have included names, birth dates, mailing addresses, phone numbers, email addresses, driver’s license numbers , passport numbers and/or certain medical information of employees and customers.

The airline said it will offer affected customers a free two-year membership to Experian’s IdentityWorks to help detect and resolve identity theft.

“Although we have no evidence that your personal information has been misused, we recommend that you sign up for Experian’s credit monitoring,” added American Airlines.

“In addition, you should stay vigilant, including regularly reviewing your account statements and monitoring free credit reports.”

Limited number of people concerned

The company has not yet disclosed the number of customers affected and the number of email accounts that were hacked in the incident.

Andrea Koos, senior director of corporate communications at American Airlines, told BleepingComputer that employee accounts were compromised in a phishing campaign, but declined to reveal the number of customers and employees affected. instead claiming it was a “very small number”.

“American Airlines is aware of a phishing campaign that has led to unauthorized access to a limited number of team member mailboxes. A very small amount of personal customer and employee information were contained in those email accounts,” Koos said.

“While we have no evidence that any personal information has been misused, data security is of the utmost importance and we have offered customers and team members preventative support. We also put currently implementing additional technical safeguards to prevent a similar incident from happening in the future.”

American Airlines was also hit by a data breach in March 2021 when the global airline information technology giant SITA has confirmed that hackers have hacked into its servers and gained access to the Passenger Service System (PSS) used by several airlines worldwide, including American Airlines.

As the world’s largest airline by fleet size (more than 1,300 aircraft on its mainline), American Airlines has more than 120,000 employees and operates nearly 6,700 daily flights to approximately 350 destinations in more than 50 countries.

Update: Added statement from American Airlines.