Air Europa suffers a major data breach with full credit card details exposed

Air Europa, the Spanish airline which BA’s parent IAG is currently in the process of acquiring, appears to have suffered from a data breach.

The email sent out to customers over the weekend should, I think, serve as an example of how not to do this.

Rather than rewrite the story, I thought I’d share the email with you, with comments!

Dear Customer:

At AIR EUROPA we are committed to the security and privacy of our customers. In light of this, we work daily to apply the best practices in the sector and comply with current regulations.

They are SO committed to the security and privacy of your data that they appear to have spent very little on cybersecurity, because:

In accordance with this commitment, we inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data, specifically the following:

• The number of the bank card ending in XXXX
• The expiration date of that card.
• The CVV of the card.

Say what?! You thought you’d casually mention half-way down that all of my credit card information, including the CVV code, has been exposed?!

From the first moment we have put all our resources to contain the incident, adopting all the necessary technical and organizational measures. Thanks to this, we have secured our systems, guaranteeing the correct functioning of the service. Additionally, we have made the due notifications to the competent authorities and necessary entities (AEPD, INCIBE, banks, etc.).

That’s nice. How about telling me what you’re going to do to help me with my compromised credit card?

Given the risk of card spoofing and fraud that this incident could entail, and in order to protect your interests, we recommend that you take the following steps:

1. Identify the card used to make payment(s) on the AIR EUROPA website.
2. Contact your bank.
3. Request the cancellation/cancellation/replacement of that card in order to prevent possible fraudulent use of your information.
4. Do not provide personal information, your pin, name or any other personal data through telephone, message or email, even when they are identified as your bank.
5. Do not click on links that warn you of fraudulent operations. Contact your bank directly by verifiable means.
6. Collect any evidence of possible unauthorized use of your card and report it to the State Security Forces.

So, Air Europa isn’t actually going to do anything to help me then ….

Our goal is to prevent similar situations from occurring in the future, as well as to minimize the possible inconvenience that all this may cause.

Bit late for that, I suspect – and I don’t see you doing anything to ‘minimize the possible inconvenience’ of your passengers. It’s also not ‘possible’ inconvenience, it IS inconvenience if my credit card has to be cancelled.

We apologise for the damages we may have caused you and we are at your complete disposal for any clarification or additional resolution of doubts you may need. Also, if you want more information about the management of the security breach, contact our Data Protection Officer at the mail: delegadopd@aireuropa.com.

Best regards,
Air Europa