Air Europa Cyberattack Exposes Customer Payment Card Information

Spain’s third largest airline, Air Europa in an email warned customers about the theft of their payment card information, following a recent data breach incident.

‘’In accordance with this commitment, we inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data,’’ the email said. This email was sent both in Spanish and English and was shared by impacted customers on to their X (formerly Twitter) accounts.

The payment information revealed in the breach, included card numbers, expiration date, and the three-digit CVV (Card Verification Value) code. The Mallorca-based airline urged customers to cancel the payment system (credit/debit card) used for booking on its website.

It warned customers about the possible attempts of fraud and card spoofing. Thus, advising them to not share their personal information, pin, or any other sensitive data over phone, email, or messages and to be vigilant about any fraudulent transaction involving their bank cards.

The email did not reveal any details about the incident, like the date of breach, number of impacted customers, or when was it first detected by Air Europa. However, the airline did state that no other personal information was accessed by the threat actors, and it had taken the necessary remediation measures to prevent similar security breaches in the future.

It had secured its systems and informed the relevant authorities, like (Spanish Data Protection Agency (AEPD), The Spanish National Cybersecurity Institute (INCIBE), banks, etc.). ‘’From the first moment we have put all our resources to contain the incident, adopting all the necessary technical and organizational measures,’’ the email said.

This is not the first time that the airline has suffered such a mishap. In 2021, it was fined €600,000 by the Spanish Data Protection agency for failing to notify the authorities and customers about a data breach involving customers’ financial and contact information.