Third-Party Vendor Hack Exposes Data at American, Southwest Airlines

Written by

The hacking of a third-party vendor called Pilot Credentials has resulted in data breaches affecting pilots’ information at American Airlines and Southwest Airlines.

The breach, discovered on May 3, was limited to the vendor’s systems and reportedly did not compromise the airlines’ networks.

“Whether critical information is managed by a third-party application, or a vendor has direct access to one’s infrastructure, additional security risk is introduced and therefore must be monitored and controlled,” commented Rezonate CEO, Roy Akerman.

“While organizations are realizing more and more that third-party risk is their risk, more work is required to enable this awareness across people, technology and processes.”

Read more on third-party breaches: Uber Drivers’ Data Exposed in Breach of Law Firm’s Servers

At the same time, unauthorized access allowed the perpetrator to steal documents containing personal information provided by pilot and cadet applicants.

“To mitigate the risks posed by data breaches, organizations across industries should adopt data-centric security approaches like tokenization and format-preserving encryption,” explained Erfan Shadabi, a cybersecurity expert with data security specialists comforte AG.

“These techniques enhance data security by limiting exposure, reducing the value of stolen data, and minimizing the potential impact of breaches.”

American Airlines reported 5745 pilots and applicants affected, while Southwest Airlines reported 3009. Although there is no evidence of targeted exploitation, both airlines said they would redirect applicants to internal portals.

“Our investigation determined that the data involved contained some of your personal information, such as your name and Social Security number, driver’s license number, passport number, date of birth, Airman Certificate number, and other government-issued identification number(s),” American Airlines revealed.

“We are no longer utilizing the vendor, and, moving forward, pilot applicants are being directed to an internal portal managed by Southwest,” Southwest Airlines added.

Law enforcement agencies said they are investigating, and the airlines are fully cooperating. 

These incidents follow previous data breaches experienced by American Airlines in 2022 and 2021.

Editorial image credit: Philip Pilosian /

What’s hot on Infosecurity Magazine?