Airline Virgin America has told staff and contractors that a hacker may have gained unauthorized access to their log-in data.
In a data breach notice letter, the firm revealed that its monitoring systems discovered the intrusion attempt on 13 March, after which point its incident response plan kicked in and forensics experts were brought in and law enforcement contacted.
The unauthorized third party is said to have gained access to users’ “login information and password that you use to access Virgin America’s corporate network”.
The airline, which was bought by Alaskan Airlines for $2.6 billion last year, said it had required all employees and contractors to reset their passwords as a precaution.
It added:
“It is always a good idea to remain vigilant against threats of identity theft or fraud and to regularly review your bank and credit card statement and credit reports for any unauthorized activity. Report suspected incidents of fraud or identity theft promptly. You should also regularly rotate your password for your online accounts and not use the same password for multiple accounts. We have enclosed a Resources Guide containing contact information for the three national consumer reporting agencies and other information which you may find helpful.”
Virgin also warned its staff and contractors to be on the lookout for follow-on phishing attacks which may use the log-in data in an attempt to elicit further sensitive personal information from the affected users, such as passwords, Social Security numbers and bank account details.
Alaska Airlines is not thought to be affected, but reports suggest that over 3,100 staff and contractors at Virgin America could have had their log-ins stolen, while around 110 may also have had personal data taken including their addresses, Social Security numbers, and driving license details.
Customer data appears not to have been affected.
Some experts praised Virgin’s professional response to the incident.
"Virgin America demonstrates its use of best practice, pro-active approach in security monitoring activities have enabled their security team to immediately notice an attempt to access their internal systems where staff and contractor information was stored,” argued One Identity EMEA director, Andrew Clarke.
“Often companies are unaware that these incidents have even taken place. Moreover, they clearly had well practised plans to mitigate the impact of the risk and ensure the affected individuals were notified.”
Virgin America will be hoping its prompt action heads off any staff unrest. A data leak at Seagate in 2016 enabled hackers to file fraudulent tax returns in the names of affected employees, forcing a class action lawsuit against the firm.
It has just agreed to pay $5.75m to pay for identity theft checks and other costs borne by staff following the incident.