Beware of Phish: American Airlines, Revolut Data Breaches Expose Customer Info

The airline and the fintech giant both fell to successful phishing attacks against employees.

Passenger in airport terminal with American Airlines airplane outside window
Source: Vicki Beaver via Alamy Stock Photo

Call it breach week: Hard on the heels of the Uber bombshell, American Airlines said that it suffered a data breach after a successful phishing attempt hooked a few employee email accounts. And consumer banking app Revolut confirmed that more than 50,000 customers may be impacted by a targeted data heist.

In the case of American, the airline told customers in a notification letter filed with the Montana Department of Justice that in July it discovered compromised email accounts for a "limited number" of employees. The mailboxes contained a raft of customer data, which could include name, date of birth, phone number, mailing address, email address, driver's license number, passport number, and perhaps medical information. That said, there's no confirmation that attackers actually took off with any of the information.

Meanwhile, fintech bigwig Revolut, which offers global banking, debit cards, fee-free currency exchange, stock trading, cryptocurrency exchange, and peer-to-peer payment services, said that a cyberattacker was able to access data for about 0.16% of its 20 million customers for a "short period” of time. The data protection regulator in Lithuania, where Revolut is headquartered, said that translates to about 50,150 people impacted.

The attackers were able to access names, phone numbers, emails, physical addresses, partial card details, and some unspecified account information, according to the regulator notice — but Revolut noted that funds were safe.

"To be clear, no funds have been accessed or stolen," the company announced in an email to customers (shared on Reddit). "Our customers' money is safe — as it has always been. All customers can continue to use their cards and accounts as normal."

Nonetheless, in both breach cases, the exposed data gives cyberattackers everything they would need to mount targeted follow-on attacks using social engineering, or for credential-stuffing efforts. And indeed, some Revolut customers have already reported phishing messages aimed at capturing their banking account logins.

"While the resulting second-wave phishing attack wasn’t the likely motive in this case, secondary outreach directly to the end user is always a possibility when it comes to these types attacks," says Randy Watkins, CTO at CRITICALSTART. "Likely, the attackers would have preferred to get the information they wanted directly from Revolut, but with the information they were able to gain access to, they can significantly raise their chances of phishing the end users.”

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights