Cybercriminals armed with usernames and passwords broke into customer accounts at American and United airlines, with some going so far as to book free flights and seat upgrades.
Affected customers were notified by email on Monday, though the hack apparently took place some time last month.
A spokesperson for United told the Associated Press that since early December around 35 MileagePlus accounts had seen activity involving fraudulently booked trips or mileage transactions.
American appears to have been hit harder by the hack, however, with around 10,000 accounts affected. Despite this, up to now it said it’s only aware of a couple of cases where a flight or upgrade was booked without the account holder knowing. The carrier promised to cover the cost of a credit-watch service for affected customers for a period of 12 months.
Both airlines were at pains to point out that their respective computer systems had not been breached and credit card numbers had not been exposed, but added that it was possible information in a user’s account profile, such as a customer’s mailing address, could have been viewed.
It’s assumed the criminals obtained the account information from sources outside of the airlines’ systems, though at this stage the thieves’ method of operation isn’t clear.
While the airlines will certainly have been embarrassed by the incident, at this stage it looks as if the damage has been minimal. However, customers with the carriers will no doubt be seeking assurances that their personal data is indeed safe and that the airlines are doing what they can to ensure they have the right defenses in place should hackers try to dig a little deeper next time around.