Cyber Incident Victim: Air Europa

In October 2023, Air Europa disclosed a cybersecurity incident involving unauthorized access to its online payment system, resulting in the exposure of customer credit card data. The Spanish airline confirmed the breach but did not specify the number of affected customers or the exact timeframe of the attack. Affected individuals received email notifications advising them that their payment cards required cancellation and replacement to prevent potential fraudulent use. Air Europa stated it had informed relevant financial institutions about the compromised data. The company emphasized no evidence indicated attackers had exploited the stolen information for fraudulent transactions prior to the notification. A customer email reviewed by Reuters corroborated these instructions, explicitly linking the card replacement mandate to the payment system breach.

This incident occurred amid Air Europa's acquisition by International Consolidated Airlines Group (IAG) and followed a prior data security failure. In 2018, the airline experienced a breach affecting 489,000 customers, which it reported to authorities 41 days after discovery—well beyond the 72-hour notification mandate under applicable regulations. Spanish regulators imposed a financial penalty in 2021 for this delayed disclosure. Following the 2023 breach, Spain's Organization of Consumers and Users (OCU) petitioned the national data protection authority to compel Air Europa to disclose the attack timeline, citing concerns that fraudulent card activity might have preceded the company's warnings. The airline maintained its focus on card reissuance and institutional coordination without addressing the OCU's request or providing additional breach specifics.