Unauthorized access of American Airlines' Microsoft 365 environment identified July 5 was the result of a successful phishing email sent to an employee's account, lawyers for the airline disclosed in a letter to New Hampshire's Attorney General's office.
An investigation by the American Cyber Security Response Team showed the unauthorized actor used an IMAP protocol to access employee mailboxes. The actor may have also previewed files on an employee SharePoint site.
In total,1,708 people were impacted by the breach, which occurred between July 3-7, according to a filing with the Maine Attorney General’s office. The information accessed by the actor included names, addresses, driver’s license numbers, passport information and other personally identifiable information.
The airline previously confirmed the attack, which was identified July 5, and said it hired an outside forensic cybersecurity firm to help investigate the incident.
The company, which also owns Envoy Air and Piedmont Airlines, said there was no indication any of the PII was misused. American discovered the PII in the mailboxes on August 16, after the internal investigation had begun.
American said it took considerable time to confirm individual identities, which required searching internal HR records and working with Experian to help identify specific individuals.
A spokesperson for American said previously the airline was taking certain technical measures to make sure such an incident did not occur in the future.