At a glance.
- Hackers soar into American Airlines’ employee emails.
- Revolut data breach exposes customer data.
- Roundup of recently disclosed US data breaches.
- Breach lawsuits abound.
Hackers soar into American Airlines’ employee emails.
Air travel giant American Airlines has disclosed a recent data breach that stemmed from a phishing attack and resulted in the compromise of employee email accounts and the exposure of sensitive personal information. The breach was discovered in July, at which point the airline secured the affected email accounts and enlisted a cybersecurity forensic firm to conduct an investigation. Though it’s unclear how many accounts and customers were compromised, the data potentially accessed by the threat actors may have included employees' and customers' names, dates of birth, mailing addresses, phone numbers, email addresses, driver's license numbers, passport numbers, and in some cases medical information. Andrea Koos, American Airlines' Sr. Manager for Corporate Communications, told Bleeping Computer, "American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes. A very small number of customers and employees’ personal information was contained in those email accounts.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, sees the incident as worth considering an object lesson in the importance of considering a range of available security technologies and techniques. “Given the troves of personal information stored within large enterprise organizations, they will always be a likely target for cybercriminals. With an ever-growing attack surface, building just another wall around the organization’s network or a segment of sensitive data is not the best way forward. In the end, the most important thing to do is to protect the employee data, rather than the borders around that information. With modern solutions such as format-preserving encryption or tokenization, you can render useless to hackers any PII (including names, addresses, and IDs) or other data that’s considered sensitive, even if they manage to penetrate strengthened perimeters and actually get their hands on it.”
Revolut data breach exposes customer data.
Over the weekend British financial tech company Revolut experienced a “highly targeted” cyberattack that gave threat actors access to the personal data of about 50,000 users, or 0.16% of its customer base. Security Affairs reports that the Lithuanian State Data Protection Inspectorate is conducting an investigation into the incident, and preliminary evidence indicates the attackers gained access to Revolut’s database through the use of social engineering techniques. The compromised data include customer names, street addresses, emails, phone numbers, and partial payment card data, but the hackers did not gain access to users’ funds. As well, some users claim that Revolut’s customer support chat system was displaying inappropriate language to visitors at the time of the attack.
Roundup of recently disclosed US data breaches.
US electronics company M.C. Dean disclosed last week that it detected a data breach in June after an unauthorized party gained access to sensitive consumer data on the company’s network. JD Supra explains that although the intrusion was discovered this summer, the unauthorized party first gained access to M.C. Dean’s systems last December. The compromised data include Social Security numbers, protected health information, driver’s license or state identification numbers, and financial account information.
Lubbock Heart & Surgical Hospital, a physician-owned medical system based in the US state of Texas, on September 9th filed an official notice of a data breach with the US Department of Health and Human Services Office for Civil Rights. The July incident disrupted the hospital’s network and exposed patient data including names, contact information, demographic information, dates of birth, Social Security numbers, and treatment information. JD Supra notes that over 23,000 individuals have received breach notification letters.
Also last week, US financial services firm Ameriprise Financial, Inc. filed official notice of a data breach with the Massachusetts Office of Consumer Affairs and Business Regulation. The compromised data include client names, Social Security numbers, and financial account numbers, and notification letters have been sent to all affected parties. The company has not yet publicly disclosed what led to the breach or how many individuals were impacted. JD Supra notes that this is the fourth data breach that Ameriprise has reported this year.
Breach lawsuits abound.
Becker’s Hospital Review reports that five US health systems are facing lawsuits linked to recent data breach incidents. Salinas Valley Memorial Healthcare System, located in California, agreed to pay $340,000 as part of a class-action settlement alleging that the hospital did not properly protect patient data in a recent breach. University of California San Francisco Medical Center and San Francisco-based Dignity Health, along with Facebook parent company Meta Platforms, were named in a lawsuit filed in July in which the plaintiff claimed that Meta Pixel collected her sensitive medical information without her consent when she accessed the hospitals’ patient portals. Northwestern Memorial Hospital, based in Illinois, was named in an August lawsuit alongside Meta, Facebook and Instagram. The suit alleges that the healthcare provider allowed Facebook's tracking tool to unlawfully collect private medical data from the hospital's patient portal. And finally, Lamoille Health Partners, located in Vermont, is being sued for a June ransomware attack that impacted nearly 60,000 patients. Not only is the hospital under scrutiny for its data protection practices, but the suit also alleges that Lamoille failed to properly notify patients about the attack.