American Airlines says that hackers may have obtained personal information for a "very small number" of customers and employees. The company did not say exactly how many people were impacted, though it noted there's no evidence that the attackers have misused the information. It told affected customers that names, driver’s license and passport numbers, addresses, email addresses, phone numbers, dates of birth and medical information may have been compromised.
The hackers gained access to American's email system through a phishing campaign, as the Associated Press reported. The company told regulators in Montana that it discovered the intrusion in July. It started informing affected customers last week. American says it has secured the breached email accounts and brought in a third-party cybersecurity firm to investigate.
American said it's putting more technical measures in place to prevent similar breaches from occurring. The company has also offered customers affected by the breach two years of identity theft-protection coverage.
An American Airlines spokesperson provided the following statement to Engadget:
“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts. While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support. We are also currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.”