10.10.2023

Several users have stated that in the last few hours on X (the old Twitter), through messages provided by the company, that Air Europa has been the victim of a hack that has allowed the perpetrators to obtain the credit card information of customers. The attack occurred this morning. The airline has revealed that it was the victim of a cyberattack tonight, which occurred due to a security breach in its systems.

A number of customers of Air Europa have reported receiving an email from the firm in which they are warned that the airline has been the victim of a hack, which has led to the loss of certain customers’ banking information. To be more specific, the information that was taken includes the numbers from many cards, the dates when those cards will expire, and the CVV security code.

However, the firm has suggested that the hacking of Air Europa’s systems has already been brought under control, and that none of its clients would have suffered fraud using their credit cards. In addition, the company has noted that systems have been secured in order to stop the cyberattack.

This publication has been notified by the company that “the data extracted has been exclusively associated with the cards themselves and not with customers” and further stated that “in no case have cybercriminals accessed other Air Europa databases or extracted other types of customers’ personal information.”

In spite of these two reassuring messages, the corporation has sent an email to some of the clients who have been affected by the issue, advising them to take a number of preventative steps. In the aforementioned email, Air Europa advises its customers to get in touch with their financial institution in order to cancel the credit card that was used to make payments to the airline.

“Given the potential for card impersonation and fraud that this event may entail, and in order to safeguard your interests, we strongly suggest that you take the following precautions: Identify the card that was used to make payment(s) on the Air Europa website; contact your bank; request cancellation/replacement of that card to prevent possible fraudulent use of your information; do not provide personal information, your PIN, name, or any other personal data via phone, text, or email, even when they identify themselves as your bank; do not click on links warning you of fraudulent transactions. Identify the card that was used to make payment(s) on the Air Europa website. Contact your bank. Get in touch with your bank using a method that can be confirmed. “If you find any evidence that your card may have been used without your permission, please contact local law enforcement,” the email instructs the recipient to do.

No fraud detected until now

Air Europa has acknowledged that it has been hit by “a cybersecurity issue that would have had an effect on the payment environment through which purchases are managed through the website.” The organization has additionally said that “there is no evidence that the data breach has been used to commit any fraud” alongside the fact that “the rapid detection and intervention of the team to implement the established protocol has made it possible to block the security flaw and prevent new data leaks.”

The airline has issued an apology to all of its customers who were adversely affected, and it has made itself available to users who require any form of guidance. The company has confirmed that all of its systems are now fully operating. “Our goal is to prevent similar situations from occurring in the future, as well as minimize any inconvenience this may cause,” the conclusion of the email.

Previous Attack in 2018

This is not the first time that an accident of this kind has befallen a flight operated by the Globalia airline. It already had registered a significant hole in its computer security systems in 2018, which allowed a group of cybercriminals to access the personal and banking data of over half a million of its clients. This happened because of a vulnerability that allowed them to get access to the systems. An assault that, in addition to putting the company’s operations at risk, resulted in the corporation being fined a total of 600,000 euros by the Spanish Data Protection Agency (AEPD) in the year 2021; this was three years after the first breach.

UPDATE – PCI DSS Certificate:

Globalia – the mother company of Air Europa – published in the beginning of March 2020 that Air Europa have been certified with PCI DSS Standard for financial transactions. PCI DSS prohibits explicitly storing the CVV – the three digits secure code of every credit card. Air Europa confirmed today that those CVV Codes also had been stolen with the hack.