Spain’s Air Europa has fallen victim to a cyberattack on its payment system exposing some customer credit card information.
The Mallorca-based airline emailed customers to notify then their data had been compromised Tuesday.
The customer notification came 41 days after the attack happened, even though the company is required to report any cyber incident in 72 hours.
The company also told its customers to cancel any cards used on the Air Europa website "to prevent possible fraudulent use of your information," although the airline stated there was no "evidence that the breach was ultimately used to commit fraud."
Furthermore, the Spanish airlines did not reveal how many customers were compromised. Cybernews has reached out to Air Europa and is awaiting a response.
Some customers took to X (formally known as Twitter) to express frustration after finding out about the attack, which leaked customers' full account numbers, the three-digit Card Verification Value (CVV) number, and the expiration dates associated with the card.
The company stated that no other personal information had been compromised in the attack and it had notified the relevant financial institutions of the breach.
Spain’s consumer association OCU recommended that affected customers follow Air Europa's advice.
The OCU also requested Spain’s data protection watchdog to investigate details of the attack and whether the exposed cards could pre-date the company's alert.
The Association fined Air Europa in 2021 for mishandling a breach involving 500,000 customers back in 2018.
Air Europa is currently in the process of being taken over by International Consolidated Airlines Group, the parent company of British Airways.
More from Cybernews:
Subscribe to our newsletter