American Airlines and Southwest Airlines, two of the largest airlines in the world, disclosed data breaches on Friday caused by the hack of Pilot Credentials, a third-party vendor that manages multiple airlines’ pilot applications and recruitment portals.
Both airlines were informed of the Pilot Credentials incident on May 3, which was limited solely to the systems of the third-party vendor, with no compromise or impact on the airlines’ own networks or systems.
An unauthorized individual gained access to Pilot Credentials’ systems on April 30 and stole documents containing information provided by certain applicants in the pilot and cadet hiring process.
According to breach notifications filed on Friday with Maine’s Office of the Attorney General, American Airlines said the data breach affected 5745 pilots and applicants, while Southwest reported a total of 3009.
“Our investigation determined that the data involved contained some of your personal information, such as your name and Social Security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification number(s),” American Airlines revealed.
Although no evidence indicating that the pilots’ personal information was specifically targeted or exploited for fraudulent or identity theft purposes was found, the airlines will, from now on, direct all pilot and cadet applicants to self-managed internal portals.
“We are no longer utilizing the vendor, and, moving forward, Pilot applicants are being directed to an internal portal managed by Southwest,” Southwest Airlines said.
American Airlines and Southwest Airlines have also notified relevant law enforcement authorities of the breaches and are fully cooperating with their ongoing investigation into the matter.
American Airlines hit by other breaches in recent years
The disclosures come after American Airlines disclosed another data breach in September 2022 that impacted over 1,708 American Airlines customers and team members following a July 2022 phishing attack that led to the compromise of a number of employee email accounts.
As disclosed at the time, personal information exposed in the July 2022 breach may have included employees’ and customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, and/or certain medical information.
A subsequent investigation also indicated that the attackers used the employees’ compromised accounts to send more phishing emails.
American Airlines was also hit by a data breach in March 2021 after global air information tech giant SITA disclosed that hackers breached its servers and accessed the Passenger Service System (PSS) used by multiple airlines worldwide.
American Airlines is the world’s largest airline by fleet size (with over 1,300 aircraft in its mainline), operates almost 6,700 flights daily to roughly 350 destinations in over 50 countries, and has more than 120,000 employees.
Southwest Airlines is the world’s largest low-cost carrier, has nearly 70,000 employees, and is present in over 121 airports across 11 countries.