American Airlines confirms data breach

American Airlines on Tuesday confirmed a data breach that affected a “small number” of customers and employees.

A template notification to affected customers dated Sept. 16 and sent to Montana state officials, indicated the company learned in July 2022 that an unauthorized actor compromised a limited number of employees’ email accounts that contained personal information.

“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” the airline said in a statement. “A very small number of customers and employees’ personal information was contained in those email accounts.”

“While we have no evidence that any personal information has been misused, data security is of the utmost importance and we offered customers and team members precautionary support,” the statement continued. “We are also currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.”

The company said it hired a cybersecurity firm to investigate the incident and found the information may have included customers’s names, dates of birth, mailing addresses, phone numbers, emails, driver’s license numbers, passport numbers and medical information provided to the airline.

American is providing affected customers with a complimentary two-year membership to an identity theft protection service, although it said the actions were being taken out of an “abundance of caution.”

“Although we have no evidence that your personal information has been misused, we recommend that you enroll in Experian’s credit monitoring,” the airline wrote in the notification. “In addition, you should remain vigilant, including by regularly reviewing your account statements and monitoring free credit reports.”