- American Airlines confirmed that its Cyber Security Response Team confirmed a data breach incident impacting customers and employees.
- According to the company filing, the attackers compromised an employee’s Microsoft 365 account and used it to spread phishing attacks.
- The company stated that the attacks started on September 16th and over 1,700 employees and customers are impacted by the incident.
American Airlines confirmed that its Cyber Security Response Team discovered a data breach incident. The team noticed unauthorized activity in the company’s Microsoft 365 environment. The investigation showed that the attackers accessed multiple employees’ accounts as a result of phishing attacks and used them to spread phishing emails.
Hacked Microsoft 365 account
According to the announcement, the hacked accounts allow attackers to access employee files stored on the Sharepoint service. The company stated that the attacks started on September 16th. When the company noticed the incident, it sent notification letters informing that the attack may have exposed employees’ and customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, or certain medical information to third parties.
According to a filing, over 1,700 employees and customers are impacted by the incident. The company is offering two years of Experian’s IdentityWorks free membership with identity restoration services, triple bureau monitoring, and up to $1 million in identity theft insurance to those who are affected. The company said,
« Through this investigation, American was able to determine that the unauthorized actor used an IMAP protocol to access the mailboxes. Use of this protocol may have enabled the unauthorized actor to sync the contents of the mailboxes to another device. American has no reason to believe that syncing the contents of the mailboxes was the purpose of the access. Based on fact, it appears the unauthorized actor was using IMAP protocol as a means to access the mailboxes and send phishing emails.
Notwithstanding, following the forensic investigation, American conducted an extensive eDiscovery exercise fo determine whether any personal information was. contained in the mailboxes. The review identified personal information in the mailboxes on or around August 16, 2022. The information in the mailboxes may have included name, Social Security number, employee number, date of birth, mailing address, phone number, email address, driver’s license number, and/or passport number. »