American Airlines (AA) suffered a data breach in which the personal information of customers and staff may have been taken. The breach, announced by AA in a letter to victims on September 16, involved an authorized actor exposing the email accounts of AA staff members in July.

When the airline discovered the breach, it protected the email accounts and hired a third-party cybersecurity forensics firm to analyze the nature and breadth of the attack. The inquiry proved inconclusive, with the discovery of personal information in compromised email accounts but no indication of the information being abused.

Already notifying possible victims of the hack

Names, birthdates, postal addresses, phone numbers, email addresses, driver’s license numbers, passport numbers and certain medical information are among the possibly stolen data.

All potentially affected individuals have been given a two-year subscription to Experian IdentityWorks, a product that detects identity theft and abuse.

Although AA did not immediately identify the source of the data breach, a spokeswoman for the airline told BleepingComputer that the accounts were hacked in a phishing attempt, adding that only a “very small number” of team members and customers were impacted.

Not the first

This is not the first time AA has been the victim of a hack. In 2015, Chinese hackers breached the organization and flight reservation firm Sabre, putting millions of documents at risk.

Tokenize CEO John Gunn told SiliconANGLE that the reputational damage from this hack would far outweigh the out-of-pocket costs, particularly in an industry where adequate measures and safety are crucial in consumers’ choice of which airline to use.

According to Erich Kron, a security awareness evangelist at security firm KnowBe4, email accounts remain a top target for cybercriminals. The attack is another instance of email phishing, allowing hackers to take over certain accounts.

Tip: Streaming service Plex risks data breach of millions of accounts