In a recent cybersecurity incident, personal information belonging to pilots of American Airlines and Southwest Airlines was compromised due to a data breach at a third-party vendor. The breach affected Pilot Credentials, a company managing pilot applications and recruitment portals for multiple airlines. While investigations are ongoing, both airlines have taken immediate action to mitigate the situation, including suspending the use of the third-party vendor and implementing internal portals for pilot applicants.

Details of the Data Breach

On May 3 2023, American Airlines and Southwest Airlines were informed that their third-party vendor, Pilot Credentials, experienced a cybersecurity incident. Unauthorized actors gained access to the vendor’s systems around April 30 2023, and obtained certain files containing personal information provided by pilot and cadet applicants during the hiring process. The compromised data included:

  • Names
  • Social Security numbers
  • Driver’s license numbers
  • Passport numbers
  • Dates of birth
  • Airman Certificate numbers
  • Other government-issued identification numbers.

The exact method of unauthorized access has not yet been. However, the incident highlights the importance of robust cybersecurity measures and serves as a reminder of the constant threats faced by organizations, even when employing third-party vendors to handle sensitive data.

Impact on Pilots and Applicants

The breach affected 5,745 pilots and applicants from American Airlines and 3,009 from Southwest Airlines, according to reports filed with the Office of the Maine Attorney General. Both airlines promptly notified the affected individuals and assured them that investigations were underway. Although there is currently no evidence to suggest targeted misuse or fraudulent activity, the stolen personal information could potentially be sold or shared on cybercriminal platforms, putting affected individuals at risk of identity theft and other attacks.

Response and Precautionary Measures

American Airlines and Southwest Airlines took immediate measures to address the breach and safeguard their pilots’ personal information. Both airlines suspended the use of Pilot Credentials as their third-party vendor and redirected pilot applicants to internally managed portals. To provide additional protection, the airlines offered affected individuals free identity protection memberships to detect potential misuse of their personal information. By cooperating fully with law enforcement authorities, the airlines aim to assist in ongoing investigations into the incident.

Previous Data Breaches and Industry Context

The recent data breach is not the first incident impacting American Airlines’ cybersecurity. In July 2022, the company suffered another breach when unauthorized actors compromised the email accounts of a limited number of team members. Personal information compromised in that incident included names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, and certain medical information. Additionally, American Airlines experienced a data breach in March 2021, when hackers breached servers belonging to air information tech giant SITA and gained access to the Passenger Service System (PSS) used by multiple airlines worldwide.

Southwest Airlines, the world’s largest low-cost carrier, also faced the repercussions of the Pilot Credentials breach. The airline’s response mirrored that of American Airlines, with an immediate suspension of the third-party vendor’s services and the establishment of internally managed portals for pilot applicants.

Conclusion

The data breach at Pilot Credentials, a third-party vendor responsible for managing pilot applications and recruitment portals, has compromised the personal information of pilots and applicants from American Airlines and Southwest Airlines. The breach exposed sensitive details such as names, Social Security numbers, and government-issued identification numbers. Both airlines swiftly responded by suspending the use of the third-party vendor and offering free identity protection memberships to affected individuals. While there is no current evidence of targeted misuse, the breach underscores the importance of continuous vigilance and robust security measures within the aviation industry to protect personal information and mitigate potential risks.