A recent data breach at American Airlines was relatively small, but the customer information stolen appears to be a jackpot for criminals engaged in identity theft.
The breach, announced on Sept. 20, affected a “very small number” of customers and employees, the airline said in a statement, with reports of about 1,700 people affected. However, the breach reportedly included Social Security and driver’s license numbers, data that can be used to steal victims’ identities.
American Airlines is among several airlines and travel-related companies that have been the victims of such breaches in recent years. India-based Akasa Air reported one in August, and Philippine Airlines reported its own in mid-September.
However, these recent thefts may say more about the security of the individual companies than about the industry at large, some cybersecurity experts said.
“While they have some unique operational challenges, airlines are essentially like every other service industry; they are trying to please as many customers as possible as quickly and efficiently as possible,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of cloud-based cyber risk remediation. “[This] means many of their customer-facing personnel are focused more on those aspects of the job over cybersecurity.”
The American Airlines data breach started with a phishing scheme, the airline said, noting that it is implementing new security measures to protect against future breaches.
“While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support,” American Airlines said in its statement.
The airline didn’t disclose whether it has a suspect in the attack. But the data reportedly stolen is cybercriminal gold, security experts said.
“Customer support agents at banks, credit card companies, telecoms, and more use this information to identify their customers,” said Corben Leo, security researcher and chief marketing officer at blockchain security provider Zellic. “So an attacker can call these institutions, pretend to be you, and easily steal your identity.”
The data breach happened in July, and an American Airlines representative didn’t answer a question about the delay in reporting the problem.
In some cases, a company may wait to report a breach because it didn’t realize it had happened, or it may be trying to catch the attackers, Leo said. In other cases, it may take weeks to complete a forensic analysis of the breach, other security experts said.
The most common reason to delay disclosure is a focus on completing an investigation of the breach, added Jason Hicks, field chief information security officer at cybersecurity firm Coalfire.
“This allows the company to determine the full scope of the breach so that you are not making follow-up announcements, as this often results in people developing a negative view around your firm’s competency,” he said. “It also gives the firm a chance to consult with their attorneys, public relations team, and crisis communication team to be able to manage the messaging as effectively as possible.”
Sometimes, law enforcement agencies will ask a breached company to delay disclosure to complete their own investigations, he added. “Making your announcement could scare suspects into fleeing … or destroying evidence,” Hicks said.
Several cybersecurity experts recommended that companies should implement multifactor authentication plans to protect against phishing attacks. While multifactor authentication won’t solve all cybersecurity problems, it makes it more difficult for cybercriminals to take over an employee’s email, document sharing, or other accounts, they said.
“I’ve seen many examples of this attack via clients of our incident response services; the typical cause is not having MFA enabled,” Hicks said. “Any service that is accessible from the internet should be leveraging some form of MFA. It’s simply too easy to find an employee that can be fooled via phishing.”
Companies should also train employees about phishing attacks, “but training alone will not be sufficient to protect a company from phishing,” Hicks added.
