Executive Summary
Spanish airline Air Europa, based in Mallorca, recently suffered a cyberattack on its online payment system, resulting in the exposure of some customers’ credit card details.
While the airline promptly notified affected customers and financial institutions, they did not specify the number of customers impacted or estimate the financial consequences of the breach. Air Europa assured that no other information had been exposed.
This is the second data breach of Air Europa, which is being taken over by International Consolidated Airlines Group (the owner of British Airways), since 2018. The first breach, which impacted the card information of 489,000 customers, resulted in a fine of €600,000 due to the violations of GDPR regulations.
About the Breach
Air Europa, the third-largest airline in Spain, issued warnings to its customers to cancel their credit cards following the data breach that exposed their card information.
We inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data.
We have secured our systems, guaranteeing the correct functioning of the service. Additionally, we have made the due notifications to the competent authorities and necessary entities (AEPD, INCIBE, banks, etc.).
Air Europa said in emails sent to affected individuals
The breach involved unauthorized access to bank card data and resulted in the compromise of card numbers, expiration dates, and CVV codes. It is important to note that storing CVV codes is against the regulations of the Payment Card Industry Data Security Standard (PCI DSS).
The breach prompted Air Europa to secure its systems, notify relevant authorities and entities, and advise affected customers to contact their banks to cancel their cards and be cautious of potential fraud. According to Air Europa, there is no evidence that the stolen data has been used for fraudulent activities.
Earlier Breach of Air Europa
In 2021, Air Europa was fined due to the data breach that affected 489,000 customers in 2018. The breach resulted in a €600,000 fine by the Spanish Data Protection Agency (DPA) due to violations of the European Union’s GDPR regulations.
The airline’s delayed notification of the breach was also a point of contention, as it was reported 41 days after the incident, while regulations require companies to report such breaches within 72 hours. The 2018 breach compromised the contact and bank account details of approximately 489,000 individuals, including card numbers, expiration dates, and CVV codes. Criminals used around 4,000 bank cards’ data in fraudulent activities.
The aviation industry has faced multiple data breaches in recent years. In 2018, British Airways encountered a significant incident involving payment card and personal data, resulting in a substantial fine of £183 million ($224 million) in the UK. However, due to the economic impact of Covid-19, the fine was later reduced to £20 million ($24.5 million).
- BlackCat’s Comeback Following Recent Disruption
- [CVSS 8+] Microsoft Sep 23 Patch Tuesday Highlights
- [Zero-Day] Unpatched Flaws Revealed in Microsoft Exchange
- Sony’s MOVEit Breach: Employee Data Exposed
- [CVSS 9+] Russian APT29 Exploits TeamCity Vulnerability
- Did Caesars Entertainment Pay $15M Ransom?