Hackers breached a database maintained by Pilot Credentials, a recruiting company based in Austin, Texas, resulting in the theft of personal information from more than 8,000 pilot applicants for American Airlines and Southwest Airlines.
The compromised data includes names, birth dates, Social Security and passport numbers, as well as driver- and pilot-license numbers of pilot and cadet job applicants.
According to the breach notifications filed by both airlines, 5,745 American Airlines applicants were affected, while the breach exposed information from 3,009 Southwest applicants.
The airlines became aware of the breach on May 3, after it occurred on April 30.
American Airlines reported no evidence of fraudulent activity or identity theft but is offering affected applicants two years of identity theft protection.
Both airlines said they have shifted their recruitment processes to internal websites and are cooperating with law enforcement investigations.
“We are no longer utilizing the vendor, and, moving forward, pilot applicants are being directed to an internal portal managed by Southwest,” Southwest Airlines said.
Erfan Shadabi, cybersecurity expert with comforte AG, says this type of data is a goldmine for cybercriminals, who can exploit it for various malicious purposes, including identity theft, financial fraud, and targeted phishing attacks.
“The recent data breach involving American Airlines and Southwest Airlines highlights the profound damage that such incidents can inflict on organizations,” Shadabi says.
Erich Kron, security awareness advocate at KnowBe4, agrees that this kind of breach illustrates the dangers of relying on third parties to manage sensitive information.
“Unfortunately, supply chains have been increasingly targeted, causing users of their services a considerable amount of grief,” he adds. “In many cases it is more economically feasible to enlist vendors to handle services such as managing resumes, job requests, and many other functions.”
The problem there, Kron explains, is that when things go wrong, it often reflects more poorly on the customer organization than on the service provider.
Airlines Must Improve Third-Party Security
Nick Tausek, lead security automation architect at Swimlane, says to significantly reduce the risk of data breaches, airlines must collaborate closely with third-party vendors to prioritize the implementation of robust security measures.
This includes practices such as multifactor authentication and regular password updates, and evaluating whether their current security strategy is leaving room for delays in threat detection and incident response.
“The reality is that manual security processes are often time consuming and prone to errors, leaving organizations vulnerable to attacks,” he says. “Security automation tools, especially those of the low-code variety, can accelerate security teams’ capabilities to keep pace with the evolving threat landscape.”
Sally Vincent, senior threat research engineer at LogRhythm, says in addition to the challenges of managing and detecting threats within an enterprise’s IT infrastructure, assessing third-party risk is also a critical aspect.
“For airlines, it is essential to have strong communication and notification tools, as well as a deep understanding of how to effectively configure their complex IT environment,” she says.
This allows them to gain a comprehensive view of anomalous and malicious activities across all fronts, enabling a prompt and thorough response.
“By implementing a well configured security monitoring solution that provides complete visibility, including for third-party vendors, it would have been more likely to detect indicators of compromise and mitigate the threat in a timely manner,” Vincent notes.
Kron adds when an organization is going to use a third-party service to process or gather information, especially anything of a sensitive nature, special care needs to be taken with respect to security and should be part of the contract with the vendor.
From his perspective, how the data is handled, who has access, how it’s secured, and how long it’s retained are some of the key concerns that should be handled within the contracts.
“The security of any third parties who are handling your sensitive information should be vetted to ensure that their security standards meet or exceed those of the organization that is hiring them,” he says.
Airlines, Travel Industry Under Continued Attack
Last year American Airlines was victim to a successful phishing attack against employees that compromised email accounts containing a raft of customer data.
In the wake of these attacks and continued targeting of the travel sector by cybercriminals, the Transportation Security Administration (TSA) announced a new set of cybersecurity requirements for airport and aircraft operators.
This obligation follows previous TSA requirements for operators to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA).
Ransomware attacks have impacted airlines worldwide, including low-cost carrier Indian SpiceJet, where an attack caused flight delays and rendered unavailable online booking systems and customer service portals.