Southwest, American Airlines pilot data exposed


A third-party vendor breach exposed the sensitive details of pilot applicants to Southwest Airlines and American Airlines.

Both US-based air carriers had to send out thousands of breach notification letters after a third-party vendor, pilotcredentials.com, was breached. Southwest and American used the vendor to manage their pilot application and recruitment websites.

According to almost identical letters distributed to victims of the hack, unknown attackers breached pilotcredentials.com around April 30th, 2023, with the vendor informing Southwest and American on May 3rd.

“According to the third-party vendor, an unauthorized actor accessed the third-party vendor’s systems on or around April 30th, 2023 and obtained certain files provided by some pilot and cadet applicants during our hiring process,” the American Airlines breach notification said.

Both companies have said that their internal systems were not affected by the breach. The only data exposed was stored on systems belonging to the breached pilot recruitment system vendor.

Information that the pair provided to the Maine Attorney General shows that the data breach impacted a tad over 3,000 for Southwest and nearly 5,800 for American Airlines.

The publicly available Southwest Airlines notification only mentioned exposed pilot names. There was no information about other data that may have been stolen. However, American Airlines said that attackers could have accessed:

  • Social Security number (SNN)
  • Driver’s license number
  • Passport number
  • Date of birth
  • Airman Certificate number
  • Other government-issued ID numbers

Stolen SSNs often end up on underground marketplaces, where cybercriminals can buy the data to use in whichever way they like.

Having personal identifiers such as SSNs, driver’s licenses, and other IDs exposed poses significant risks, as impersonators can use the stolen info for identity theft.

In this specific case, attackers could launch spear phishing attacks. The targets of such attacks are well-researched beforehand, and scam messages are created specifically for them. Attackers often impersonate the victims’ closest friends, family, or business associates.

Both companies have stated that they’ll no longer use the services of pilotcredentials.com and will use internal resources to manage pilot applications. The victims of the breach were promised identity theft and credit monitoring services.