American Airlines is alerting some of its customers to a data breach, where an “unauthorized actor” got access to names, birthdays, mailing and email addresses, phone, driver’s license and passport numbers, and “certain medical information” by compromising employee email addresses (via Bleeping Computer). According to a sample letter from the company, dated September 16th, the airline discovered the breach in July and began an investigation with a third-party security cybersecurity firm.
I asked the company if it knew how long the attackers had access to the email accounts before the breach was discovered. In response, spokesperson Andrea Koos sent the airline’s statement, which contains a few details about what happened but doesn’t answer the question.
“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts,” Koos said, before adding that the company is “currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.” The company says it has “no evidence to suggest” that customers’ personal info has been misused.
Unfortunately, the lag between discovery and disclosure isn’t exactly uncommon. Samsung recently disclosed a breach almost a month after it had discovered it, and earlier this year, the public learned about a 2020 hack on the federal court system. While it’s understandable that investigations can take time, especially when it comes to determining who to notify, it does mean that bad actors have access to people’s info for quite a while before they even know to watch out for problems. In this particular instance, American Airlines is offering people whose data was affected two free years of Experian’s identity theft protection service.