American Airlines suffered a data breach back in July, 2022. Some people are receiving letters from American Airlines. We did not receive the letter but we received a security alert from LifeLock (image below).
In this case, some employees at American Airlines were victims of phishing emails. You know the story, some of these employees opened the suspect emails which facilitated a data breach. Although American Airlines suggests that your personal information was not misused, the types of information that may have been compromised consist of:
- Date of birth,
- Mailing address,
- Phone number,
- Email address,
- Driver’s license number,
- Passport number and
- Any medical information that you provided to American Airlines.
Why is American Airlines notifying customers two months after the breach? As a general operating rule, data breaches are usually not immediately made public to allow law enforcement to investigate without tipping the hackers.
Data breaches are usually the result of:
- An employee doing something they are NOT supposed to do or
- An employee NOT DOING something they are supposed to do.
Examples of some things that employees should not be doing would be opening suspicious emails, clicking on unknown links or inserting a suspect flash drive into a networked computer. Failing to apply operating system or application software patches or not securing a network would be examples of not doing something they were supposed to have done.
American Airlines Statement
Andrea Koos, spokesperson for American Airlines said “American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts.” Koos went on to say that before adding that the company is “currently implementing additional technical safeguards to prevent a similar incident from occurring in the future.” The company says it has “no evidence to suggest” that customers’ personal info has been misused.
I don’t know about you but the fact that any of the above information may have landed on the dark web isn’t very reassuring to me.
What American Airlines Is Willing To Do
American Airlines is willing to provide a complimentary, two-year membership of credit monitoring through Experian’s IdentityWorks. In order to take advantage of this offer, you need to enroll by phone at (877) 890-9332 or online no later than December 31, 2022. You will use the engagement number B061570 for your complimentary membership.
I will commend American Airlines for offering two years of credit monitoring instead of one year. Data brokers on the dark web know that victims will usually get one year of credit monitoring so they hold on to your data initially. They wait for that one-year period to expire before they put your personal information up for sale on the dark web.
What You Can Do
You can protect your credit report from unauthorized access by locking or freezing your credit reports with the major credit reporting bureaus:
- Experian and
- Trans Union.
Requesting a credit lock or a credit freeze is essentially the same thing. The major difference is that credit bureaus can charge you for a credit lock but obtaining a credit freeze should be complementary. I have my credit reports frozen. If I apply for credit, I will have to unfreeze my credit reports and they freeze them again after a lender or credit card issuer has run my credit report. The graphic below is from my free Experian credit account. With the tap of a finger, I can freeze or unfreeze my credit report at no cost.
Unfortunately, we live in a world where careless employees can cause our personal information to be exposed to hackers. The security of your data at a business is only as good as the worst employee or the extent of the security of their network.
Monitoring your credit reports and locking or freezing your credit report access will help reduce any possible damage of compromised data. I have had great success with LifeLock as they have alerted me to fraud in real time where the complimentary credit monitoring dropped the ball.