A vendor that operates a pilot recruitment platform used by maor airlines exposed the personal files of more than 8,000 pilot and cadet applicants at American Airlines and Southwest Airlines.
Both American and Southwest on June 23 sent letters [caution – PDFs] to those people affected by the hack of Pilot Credentials, a company based in Austin, Texas, that was founded in 2005 and manages online pilot recruitment portals for American, Southwest, and other airlines.
According to the letters, Pilot Credentials’ systems were broken into by unknown criminals on April 30 and the airlines were both notified of the attack on May 3. The airlines said their own systems were not compromised. The files stolen contained a range of data about pilot applicants, including their names, Social Security numbers, passport numbers, driver’s license numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers.
According to filings with the state of Maine, 5,745 people with American had data stolen in the incident. For Southwest, the number was 3,009.
Both airlines said in their letters that there was no “evidence” that the stolen data has been used in fraud or identity theft scams. At the same time, both said they now running their recruitment efforts through internal portals managed by the respective airlines.
“We are no longer utilizing the vendor, and, moving forward, pilot applicants are being directed to an internal portal managed by Southwest,” the company wrote.
Both also said they contacted law enforcement agencies and are cooperating with the investigations.
The airlines are offering people affected by the attack two free years of credit and identity protection. American will pay for a complimentary two-year membership with Experian IdentityWorks Credit 3B program, which can detect possible misuse of personal information and deliver identification protection.
Southwest is doing the same through Equifax Complete Premier program.
Trouble with tech
This isn’t the only data breach American has had to deal with lately. The company in September 2022 reported that attackers two months earlier had compromised a number of employee email accounts via a phishing campaign, potentially exposing such personal information of both employees and customers as their names, dates of birth, mailing and email addresses, medical data, and driver’s and passport numbers.
American also was on of a number of airlines – Lufthansa being another – that were affected by an attack on SITA, which supplies aviation tech.
The airline as well as its American Eagle brand average almost 6,700 flights a day in more than 50 countries and have nine hubs in the US, including Dalla/Fort Worth, Los Angeles, Miami, and New York. In the first quarter, American generated $12.2 billion in revenue and $10 million in net income.
Southwest is among the more popular low-cost airlines, with almost 800 aircraft running about 4,000 flights a day. In its fiscal-year first quarter, the company lost $159 million on a record $5.7 billion in revenue.
A combination of worker shortages, winter storms, and outdated scheduling software managed to overload the airline’s IT infrastructure late last year, stranding thousands of travelers at the height of the holiday travel season in December 2022. ®