The personal and specialized information of almost 9,000 pilot and cadet applicants for American Airlines and Southwest Airlines was exposed by a cyberattack on a pilot recruitment system used by both airlines in late April.
The systems of Pilot Credentials, a Texas-based company that manages pilot recruitment portals for multiple airlines, was breached by an unauthorized actor on or around April 30, according to data breach notifications the airlines filed in Maine last. The data breach was discovered on May 3.
The incident underscores how major businesses can be compromised when malicious activity occurs on a third-party platform in their supply chain.
American and Southwest, two of the world’s largest airlines, disclosed the extent of compromise in notifications sent to impacted individuals.
The threat actor stole documents, including specialized credentials and government-issued IDs for 5,745 applicants with American and 3,009 applicants with Southwest, according to the filings.
Pilot Credentials did not respond to questions about how the threat actor gained access, how much data was stolen and if other airlines are potentially impacted.
American and Southwest said they’re no longer using the third-party vendor and will be directing applicants to internal portals managed by the airlines going forward.
The airlines notified law enforcement and said the exposure was limited to Pilot Credentials’ systems.
”The incident did not impact any American Airlines customer data, and American’s internal systems — including customer and team member data — remain secure,” an American Airlines spokesperson said via email.
“The incident was solely limited to the third-party vendor, and no Southwest networks or systems were affected or compromised,” a Southwest Airlines spokesperson said.
American Airlines was hit by a more direct cyberattack in July when a phishing email attack against an employee compromised the airline’s Microsoft 365 environment and exposed PII of more than 1,700 employees.
Upon further investigation, the airlines said they’ve uncovered no evidence to suggest the candidates’ information was targeted or misused.