dark reading threat intel and cybersecurity news

Call it breach week: Hard on the heels of the Uber bombshell, American Airlines said that it suffered a data breach after a successful phishing attempt hooked a few employee email accounts. And consumer banking app Revolut confirmed that more than 50,000 customers may be impacted by a targeted data heist.

In the case of American, the airline told customers in a notification letter filed with the Montana Department of Justice that in July it discovered compromised email accounts for a “limited number” of employees. The mailboxes contained a raft of customer data, which could include name, date of birth, phone number, mailing address, email address, driver’s license number, passport number, and perhaps medical information. That said, there’s no confirmation that attackers actually took off with any of the information.

Meanwhile, fintech bigwig Revolut, which offers global banking, debit cards, fee-free currency exchange, stock trading, cryptocurrency exchange, and peer-to-peer payment services, said that a cyberattacker was able to access data for about 0.16% of its 20 million customers for a “short period” of time. The data protection regulator in Lithuania, where Revolut is headquartered, said that translates to about 50,150 people impacted.

The attackers were able to access names, phone numbers, emails, physical addresses, partial card details, and some unspecified account information, according to the regulator notice — but Revolut noted that funds were safe.

“To be clear, no funds have been accessed or stolen,” the company announced in an email to customers (shared on Reddit). “Our customers’ money is safe — as it has always been. All customers can continue to use their cards and accounts as normal.”

Nonetheless, in both breach cases, the exposed data gives cyberattackers everything they would need to mount targeted follow-on attacks using social engineering, or for credential-stuffing efforts. And indeed, some Revolut customers have already reported phishing messages aimed at capturing their banking account logins.