Spanish airline Air Europa, the country’s third-largest airline and member of the SkyTeam alliance, warned customers on Monday to cancel their credit cards after attackers accessed card information in a recent data breach.
“We inform you that a cybersecurity incident was recently detected on one of our systems consisting of possible unauthorized access to your bank card data,” Air Europa said in emails sent to affected customers. “We secure our systems, guaranteeing the correct functioning of the service. Additionally, we make the necessary notifications to the competent authorities and necessary entities (AEPD, Incibe, banks, etc.).”
Credit card details exposed in the breach include card numbers, expiration dates and the three-digit CVV (Card Verifier Value) code on the back of payment cards.
Air Europa also warned affected customers to ask their banks to cancel their cards used on the airline’s website due to the “risk of card forgery and fraud” and “to prevent possible fraudulent use”.
Customers have also been advised not to provide their personal information or card PINs to anyone contacting them by phone or email and not to open links in emails or messages warning of fraudulent transactions involving their cards.
The company has not yet revealed, however, how many customers were affected by the data breach, the date on which its systems were breached and when the incident was detected.
Two years ago, in March 2021, the Spanish Data Protection Agency (DPA) had fined the airline €600,000 for violating the European Union’s General Data Protection Regulation (GDPR) and for having notified the data protection body privacy surveillance on the data breach more than 40 days after it occurred.
The 2021 data breach affected an estimated 489,000 customers, with attackers gaining access to contact and bank account data — card numbers, expiration dates, and CVV codes — stored in 1.5 million data records. criminals used around 4,000 bank card details in fraudulent activities, Air Europa classified the breach as a medium-risk incident and chose not to inform affected individuals. With international news agencies.
See the original post at: CisoAdvisor
