Microsoft 365 Email Hack Led to American Airlines BreachAirline Says July Phishing Incident Exposed Personal Information of 1,700 People
American Airlines says unauthorized access to its email system is behind a July breach of personal information affecting 1,708 people.
While the airline says the risk to victims is "remote," the carrier has notified affected individuals and offered them two years of credit and identity protection services.
American said in a statement to the Maine attorney general that it is reviewing its security measures and internal controls. "American is currently implementing additional safeguards to prevent a similar incident from occurring in the future."
The breach was discovered by the airline on July 5 after individuals reported receiving phishing emails from an American employee's account and unauthorized activity was detected in the company's Microsoft 365 environment.
A subsequent investigation detailed to the New Hampshire attorney general found the threat actor was able to sync with the email inboxes of at least one airline employee via the IMAP email protocol. The actor sent out phishing emails from the employee's account and snooped into files on an employee SharePoint site.
Information the threat actor had access to may have included names, Social Security numbers, employee numbers, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers and passport numbers. Only a small number of documents contained personal information, according to the airline, "and it would have taken the unauthorized actor significant time and resources to locate the personal information in the mailboxes."
American Airlines began notifying those affected on Sept. 16 and is offering them a two-year membership of Experian's ldentityWorks service, which includes a free credit report, triple bureau credit monitoring, identity restoration and up to $1 million in identity theft insurance.