Major airline American Airlines has fallen victim to a data breach after a threat actor got access to the email accounts of several employees via a phishing attack.
According to a published notice of a security incident, the data breach was discovered in July 2022.
How it happened
American Airlines said the successful phishing attack led to the unauthorized access of a limited number of team member mailboxes. American Airlines discovered the breach on July 5, 2022 and immediately secured the impacted email accounts. It then hired a cybersecurity forensic firm to investigate the security incident. A forensic investigation can be a huge help to determine what happened and what the possible consequences of the incident are.
[update September 26, 2022]
A legal notice sent to the Office of the New Hamshire Attorney general reveals that the unauthorized actor used an IMAP protocol to access the mailboxes. Use of the IMAP protocol may have anabled the threat actor to synchronize the content of said mailboxes to another device. But it appears they only used the access to send out further phishing emails. These emails would look as internal mails to American Airlines staff. A review showed that the number of documents that contained personal information was small and would be hard to extract.
What the attackers had access to
In the notice, American Airlines wrote:
“The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided.”
So far, American Airlines has not disclosed the exact number of breached email accounts or how many customers were affected.
American Airlines says it will implement additional technical safeguards to prevent a similar incident from happening in the future.
It offers affected customers a complimentary two-year membership of Experian’s IdentityWorksSM. While we would not recommend paying for such a service, getting it for free may not be a bad deal. Identity theft monitoring services sound great at first, they’re not really expensive and seem to provide peace of mind against an avalanche of ever-more damaging breaches. But they don’t, at present, protect against the worst impacts of identity theft—the theft itself.
American Airlines says it has no evidence that personal information has been abused, but recommends that you enroll in the free credit monitoring. In addition, customers should be extra vigilant, including by regularly reviewing account statements and monitoring free credit reports.
We’d like to add that this type of incident often triggers yet another round of phishing attacks, only targeted at potentially affected customers. Typically these phishing mails will try to leverage some kind of urgency to try and trick you. For example, they might urge you to click some link to claim some sort of compensation for the incident. The sense of urgency is something almost all phishing mails have in common: They do not want you to think, just react.
Other signs that something’s phishy:
- The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
- The URL shown on the email and the URL that displays when you hover over the link are different from one another.
- The “From” address is an imitation of a legitimate address, especially from a business.
- The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
- The content is badly written. Sure, there are plenty of bad writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English?
- The email contains attachments from unknown sources that you were not expecting.
- The website you are sent to is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)
And each of the above is reason enough to question the legitimacy of the email. Phishers have far evolved past the “Nigerian prince with a treasure” level. Above all else, trust your instincts—if it looks, smells, or feels phishy then it probably is.
Stay safe, everyone!