Air Europa Warns Customers to Cancel Credit Cards Following Data Breach

Spanish airline Air Europa, the third-largest airline in the country and a member of the SkyTeam alliance, has issued a warning to its customers urging them to cancel their credit cards. This comes after attackers gained unauthorized access to the airline’s systems, compromising customers’ card information in a recent data breach.

The cybersecurity incident was detected by Air Europa, and affected individuals received emails from the airline advising them of the breach. In these emails, Air Europa assured customers that their systems have been secured, ensuring the proper functioning of their services. They have also made the necessary notifications to the relevant authorities and entities including the Spanish Data Protection Agency (AEPD), National Institute of Cybersecurity (INCIBE), and banks.

The breach resulted in the exposure of credit card details, including card numbers, expiration dates, and the 3-digit CVV (Card Verification Value) codes located on the back of the payment cards.

Air Europa has advised affected customers to contact their banks and request the cancellation of any cards used on the airline’s website. This precaution is aimed at mitigating the risk of card spoofing and fraud, as well as preventing any potential fraudulent use of the compromised card information.

Furthermore, customers have been cautioned against disclosing personal information or card PINs to individuals contacting them via phone or email. They are also advised to refrain from opening any links in emails or messages that claim to warn them about fraudulent activities related to their cards.

Number of Affected Customers Still Unknown

Air Europa has not disclosed the exact number of customers affected by the data breach, nor have they provided details regarding the date of the breach or when the incident was discovered.

When contacted by BleepingComputer, an Air Europa spokesperson was unavailable for comment.

In March 2021, the Spanish Data Protection Agency (DPA) fined Air Europa €600,000 for violating the European Union’s General Data Protection Regulation (EU GDPR) and for delaying the notification of the data breach to the privacy watchdog by over 40 days. This previous breach impacted approximately 489,000 individuals, with the attackers gaining access to their contact details and bank account information, including card numbers, expiration dates, and CVV codes, which were stored in 1,500,000 data records.

Despite the fraudulent use of approximately 4,000 bank cards’ data, Air Europa classified the breach as a medium-risk incident and chose not to inform the affected individuals.