Cyber Incident Victim: Air Europa
Date:
Jan 2023
Location:
Spain
Summary
Air Europa experienced a cybersecurity breach compromising its online payment system, exposing customer credit card information. The company notified affected individuals via email, instructing them to replace compromised cards to prevent potential fraud, though no evidence of misuse was confirmed. A Spanish consumer association urged authorities to disclose the attack timeline due to concerns about unauthorized card activity prior to the company's alert. This incident follows a previous data breach where the airline mishandled customer notifications and faced regulatory penalties for delayed reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Air Europa experienced a cybersecurity incident impacting its online payment system, resulting in unauthorized exposure of customer credit card data. The Spanish airline confirmed the breach but did not disclose the number of affected customers. Notification emails were sent to individuals whose payment details were compromised, instructing them to replace their cards to prevent potential fraudulent use. Financial institutions associated with the exposed cards were also alerted. A customer email reviewed by Reuters indicated Air Europa proactively invalidated payment cards used on its platform as a containment measure. The company asserted no evidence suggested the stolen data had been exploited for fraudulent transactions at the time of disclosure.
This marks Air Europa's second major data security incident in recent years. In 2018, a breach affected 489,000 customers, which the airline failed to report within the legally mandated 72-hour window, delaying notification for 41 days. Spanish authorities imposed a financial penalty in 2021 for this regulatory violation. Following the 2023 breach, Spain's OCU consumer advocacy organization petitioned the national data protection authority to disclose the attack timeline, expressing concerns about possible undetected card misuse prior to Air Europa's alert. The airline, undergoing acquisition by International Consolidated Airlines Group (IAG) during both incidents, maintained operational continuity throughout the investigations.