American Airlines has confirmed that a data breach has affected a "very small number" of customers and employees.
According to NPR, American Airlines notified customers recently that the security breach was discovered in July. The company locked down the breached accounts and hired a cybersecurity firm to assist with the investigation.
Personal information that may have been compromised includes email accounts, data of birth, driver's license and passport numbers, as well as medical information provided to the airline.
American Airlines spokesman Curtis Blessing said the company is "aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees' personal information was contained in those email accounts." Blessing declined to say how many people had been affected by the security breach.
The company said there is no indication that hackers have misused any of the personal information that was accessed and offered two years of identity-theft protection.
In addition, Blessing noted that the company is implementing "additional technical safeguards to prevent a similar incident from occurring in the future," NPR reports.
Phishing, a type of social engineering attack, is becoming one of the greatest concerns for organizations, as everyone is susceptible, says Amit Bareket, Co-Founder and CEO of Perimeter 81. "To do business and support the remote workers, companies are opening their networks to the open internet and the mix of the two allows attackers to extract an organization’s credentials to access the network resources that in the past were locked to the site," Bareket says.
Moving forward, conducting on-going employee education to warn and protect from social engineering attacks, which are becoming more sophisticated, is essential, Bareket recommends.
Joshua Crumbaugh, CEO of Phishfirewall, shares a similar view. "It's almost always phishing attacks that lead to these high profile breaches, yet we continue to hear infosec professionals make excuses like 'you can't patch stupid.' This is the exact reason we continue to see a vast majority of high profile breaches start with human error. Once our industry accepts that we can mitigate most human risk through education and immersive threat simulation experiences, we will then begin to see these numbers go down."
That being said, it's not only the fault of misled information security professionals, Crumbaugh says. "Most security awareness vendors have entirely ignored learning sciences, the psychology of behavioral change, and adversarial tactics in their curriculum and instead created overly complicated and boring content. Spear phishing emails are by far one of the most difficult attacks to defend against. One reason is because we are rarely able to block spear phishing attacks from making their way to our users. This means that users are still our best line of defense against spear phishing attacks. So, how do we stop them? We have to do a better job educating and training our users."