American Airlines, based in Fort Worth, Texas, said hackers had cracked some employee email accounts and gained access to the personal information of a very small number of customers and employees, but declined to say how many.
According to Montana law enforcement officials, the airline told customers that the breach was discovered in July and that it had disabled the compromised accounts and hired a cybersecurity firm to conduct an investigation.
Although there is no evidence that the attackers misused personal information, the information in the compromised email accounts may have included their date of birth, driver’s license and passport numbers, as well as medical information they provided to the airline.
“American Airlines is aware of a phishing campaign that resulted in unauthorized access to a limited number of team member mailboxes,” said Curtis Blessing, a spokesman for the airline.
The compromised email accounts contained very little personal information about customers and employees. Blessing also stated that American Airlines is taking additional technical precautions to prevent a similar incident in the future.
The affected customers were offered two years of identity theft protection.
The sources for this piece include an article in NPR.