Pilot data relating to American Airlines Group Inc. and Southwest Airlines Co. has been breached following the hack of a third-party provider of pilot applications and recruitment.

The breach involved the compromise of a company called Pilot Credentials between April 30 and May 1, with the airlines informed on May 3. The form of attack is unclear, with the airlines only referring to it as a “security incident” involving a third-party vendor that involved “some files within its systems.”

The data compromised in the incident involved certain files provided by some pilot and cadet applicants during the hiring process. Compromised information may have contained personally identifiable information, including name, Social Security numbers, driver’s license number, passport number, date of birth, Airman Certificate numbers and other government-issued identification numbers.

Both airlines claim that they have no evidence to suggest that the stolen information has been misused for fraud or identity theft. In American Airlines’ case, the airline has cut ties with Pilot Credentials and is offering those affected two years of free identity theft protection from Experian plc.

The main takeaway among cybersecurity professionals is that this is yet another case of a third-party provider being targeted to gain information about their customers.

“Third-party access and supply chain risks continue to be the leading reasons for recent security breaches,” Roy Akerman, co-founder and chief executive officer of identity-centric security platform provider Rezonate Inc., told SiliconANGLE. “Whether critical information is managed by a third-party application, or a vendor has direct access to one’s infrastructure, an additional security risk is introduced and therefore must be monitored and controlled.”

Darren Williams, founder and CEO of anti-data exfiltration company BlackFog Inc., noted that the attack was another case of major travel-related brands falling victim to data exfiltration, leading to inevitable extortion by cyber gangs.

“What is particularly noteworthy about this attack is the extent of the breach and the targeting of third-party suppliers to obtain the data,” Williams said. “The downstream access to data is a constant theme that has even affected U.S. Customs and Border Protection.”

Photo: Russell Lee/Wikimedia Commons