Updated on 2022-09-25 American Airlines discloses employee email breach
Following an undated breach of a number of employee emails accounts discovered in July, American Airlines confirmed that employees’ and customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, and/or certain medical information may have been stolen. According to Maine’s attorney general, which requires organizations to disclose the number of individuals affected by each breach, about 1,700 people are affected. Read more: American Airlines discloses data breach after employee email compromise
Updated on 2022-09-24: American Airlines Learned of Breach from Phishing Targets
American Airlines says it learned it was the victim of a data breach after being contacted by people who received phishing messages from a compromised American Airlines employee account. Once they were notified, the airline’s security team found evidence of unauthorized activity in its Microsoft 365 environment. The intruders apparently compromised multiple employee accounts and sent phishing messages from them.
- The same mitigations apply as with the OAuth attack: MFA, conditional access, and continuous access validation. Make sure that you’ve disabled inactive users, and set a time limit on MFA configuration, perhaps locking users out who can’t meet the timeline.
- There are two items of note from this incident that we should learn from. The first is the compromised mailboxes were accessed via the IMAP protocol. This is an old protocol and one which should be removed from systems. The second is the amount and type of personal data that was stored in the compromised mailboxes. According to the breach notification the personal data exposed in this breach may have included names, Social Security numbers, employee numbers, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, and/or passport numbers. Email platforms should not be used as databases for personal data and processes should be in place to remove such data from mailboxes.
Read more in
American Airlines disclosed a security breach last week in a breach notification letter [PDF] filed with the Montana OAG. The airline said the breach occurred in July this year after a threat actor gained access to several employee email accounts. These accounts contained documents with the personal data of some of the airline’s past customers, such as names, email addresses, home addresses, phone numbers, and travel documents information.