American Airlines said it was the target of a July data breach after an outside actor compromised the accounts of a limited number of company workers.
The airline notified customers last week regarding the incident, which compromised certain personally identifiable information, including names, addresses, emails, and other sensitive information such as driver’s license and passport numbers.
Bleeping Computer previously reported the breach.
American Airlines secured the affected emails accounts and hired an outside cyber forensics firm to help investigate the incident. The airline told customers there was no evidence of data misuse.
The carrier said it is implementing a series of technical safeguards to make sure such a breach does not occur again.
The customer notification was signed by Russell Hubbard, deputy general counsel and chief privacy and data protection officer.
“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts,” an airline spokesperson said in a statement to Cybersecurity Dive. “While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support. We are also currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.”
This story has been updated to include comment from American Airlines.