Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Air Europa Customer Credit Card Breach

Executive Summary

Spanish airline Air Europa, based in Mallorca, recently suffered a cyberattack on its online payment system, resulting in the exposure of some customers’ credit card details.

While the airline promptly notified affected customers and financial institutions, they did not specify the number of customers impacted or estimate the financial consequences of the breach. Air Europa assured that no other information had been exposed.

This is the second data breach of Air Europa, which is being taken over by International Consolidated Airlines Group (the owner of British Airways), since 2018. The first breach, which impacted the card information of 489,000 customers, resulted in a fine of €600,000 due to the violations of GDPR regulations.

About the Breach

Air Europa, the third-largest airline in Spain, issued warnings to its customers to cancel their credit cards following the data breach that exposed their card information.

We inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data.

We have secured our systems, guaranteeing the correct functioning of the service. Additionally, we have made the due notifications to the competent authorities and necessary entities (AEPD, INCIBE, banks, etc.).

Air Europa said in emails sent to affected individuals

The breach involved unauthorized access to bank card data and resulted in the compromise of card numbers, expiration dates, and CVV codes. It is important to note that storing CVV codes is against the regulations of the Payment Card Industry Data Security Standard (PCI DSS).

The breach prompted Air Europa to secure its systems, notify relevant authorities and entities, and advise affected customers to contact their banks to cancel their cards and be cautious of potential fraud. According to Air Europa, there is no evidence that the stolen data has been used for fraudulent activities.

Earlier Breach of Air Europa

In 2021, Air Europa was fined due to the data breach that affected 489,000 customers in 2018. The breach resulted in a €600,000 fine by the Spanish Data Protection Agency (DPA) due to violations of the European Union’s GDPR regulations.

The airline’s delayed notification of the breach was also a point of contention, as it was reported 41 days after the incident, while regulations require companies to report such breaches within 72 hours. The 2018 breach compromised the contact and bank account details of approximately 489,000 individuals, including card numbers, expiration dates, and CVV codes. Criminals used around 4,000 bank cards’ data in fraudulent activities.

The aviation industry has faced multiple data breaches in recent years. In 2018, British Airways encountered a significant incident involving payment card and personal data, resulting in a substantial fine of £183 million ($224 million) in the UK. However, due to the economic impact of Covid-19, the fine was later reduced to £20 million ($24.5 million).



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.