Quick Hits

Beware of Phish: American Airlines, Revolut Data Breaches Expose Customer Info

The airline and the fintech giant both fell to successful phishing attacks against employees.

Call it breach week: Hard on the heels of the Uber bombshell, American Airlines said that it suffered a data breach after a successful phishing attempt hooked a few employee email accounts. And consumer banking app Revolut confirmed that more than 50,000 customers may be impacted by a targeted data heist.

In the case of American, the airline told customers in a notification letter filed with the Montana Department of Justice that in July it discovered compromised email accounts for a "limited number" of employees. The mailboxes contained a raft of customer data, which could include name, date of birth, phone number, mailing address, email address, driver's license number, passport number, and perhaps medical information. That said, there's no confirmation that attackers actually took off with any of the information.

Meanwhile, fintech bigwig Revolut, which offers global banking, debit cards, fee-free currency exchange, stock trading, cryptocurrency exchange, and peer-to-peer payment services, said that a cyberattacker was able to access data for about 0.16% of its 20 million customers for a "short period” of time. The data protection regulator in Lithuania, where Revolut is headquartered, said that translates to about 50,150 people impacted.

The attackers were able to access names, phone numbers, emails, physical addresses, partial card details, and some unspecified account information, according to the regulator notice — but Revolut noted that funds were safe.

"To be clear, no funds have been accessed or stolen," the company announced in an email to customers (shared on Reddit). "Our customers' money is safe — as it has always been. All customers can continue to use their cards and accounts as normal."

Nonetheless, in both breach cases, the exposed data gives cyberattackers everything they would need to mount targeted follow-on attacks using social engineering, or for credential-stuffing efforts. And indeed, some Revolut customers have already reported phishing messages aimed at capturing their banking account logins.

"While the resulting second-wave phishing attack wasn’t the likely motive in this case, secondary outreach directly to the end user is always a possibility when it comes to these types attacks," says Randy Watkins, CTO at CRITICALSTART. "Likely, the attackers would have preferred to get the information they wanted directly from Revolut, but with the information they were able to gain access to, they can significantly raise their chances of phishing the end users.”