Spanish airline Air Europa, the country’s third-largest airline and a member of the SkyTeam alliance, warned customers on Monday to cancel their credit cards after attackers accessed their card information in a recent data breach.
“We inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data,” Air Europa said in emails sent to affected individuals and seen by BleepingComputer.
“We have secured our systems, guaranteeing the correct functioning of the service. Additionally, we have made the due notifications to the competent authorities and necessary entities (AEPD, INCIBE, banks, etc.).”
The credit card details exposed in the breach include card numbers, expiration dates, and the 3-digit CVV (Card Verification Value) code on the back of the payment cards.
Air Europa also warned affected customers to ask their banks to cancel their cards used on the airline’s website due to “the risk of card spoofing and fraud” and “to prevent possible fraudulent use.”
Customers were also advised not to provide their personal info or card PINs to anyone contacting them over the phone or via email and not to open any links in emails or messages warning them of fraudulent operations involving their cards.
Number of affected customers remains unknown
The company has yet to reveal how many of its customers were affected by the data breach, the date its systems were breached, and when the incident was detected.
An Air Europa spokesperson was not available for comment when contacted by BleepingComputer earlier today.
Two years ago, in March 2021, the Spanish Data Protection Agency (DPA) also fined €600,000 the airline for violations of the European Union’s General Data Protection Regulation (EU GDPR) and for notifying the privacy watchdog of the data breach more than 40 days later.
The 2021 data breach affected roughly 489,000 individuals, with the attackers gaining access to their contact and bank account details (card numbers, expiration dates, and CVV codes) stored in 1,500,000 data records.
While criminals used around 4,000 bank cards’ data in fraudulent activities, Air Europa classified the breach as a medium-risk incident and chose not to inform the affected individuals.