Security Experts:

Connect with us

Hi, what are you looking for?



Airlines Alert Customers, Employees of Cybersecurity Incidents

Several North American airlines alerted customers and employees in the past days about various types of cybersecurity incidents, including system breaches, data leaks and credential stuffing attacks.

Several North American airlines alerted customers and employees in the past days about various types of cybersecurity incidents, including system breaches, data leaks and credential stuffing attacks.

Virgin America said it detected unauthorized access to information systems containing employee and contractor data on March 13. According to the company, a third-party accessed logins and passwords used for its corporate network.

Cybersecurity forensics experts have been called in to investigate the incident and law enforcement has been notified.

The company said roughly 3,100 employees and contractors had their login credentials compromised, and an additional 110 individuals may have had social security numbers, driver’s license or government issued IDs, addresses, and health-related information stolen.

Canada-based WestJet Airlines told customers on Friday that an unauthorized third party disclosed some WestJet Rewards member profile data. While the leaked data did not contain any payment card or other financial information, the company has notified the Calgary Police Service and the RCMP’s cybercrime unit.

The airline is in the process of notifying affected customers, and it has advised WestJet Rewards members to change their passwords on a regular basis.

Florida-based ultra low cost carrier Spirit Airlines has sent an email to customers to notify them of an incident involving their FREE SPIRIT account.

The company told customers that someone published their information on a third-party website, but pointed out that the data was obtained from a prior breach unrelated to Spirit Airlines.

Spirit’s warning comes after a hacker contacted news websites, including SecurityWeek, claiming to have obtained information on 11.7 million Spirit accounts. The individual claimed to have alerted the airline of a vulnerability in its systems, and decided to put the data up for sale on the dark web after the company ignored him.

The hacker has leaked more than 10,000 records apparently belonging to Spirit customers, including names, Spirit account numbers, passwords, dates of birth, phone numbers, addresses and email addresses. However, he refused to provide the full data set or evidence of how he breached the airline’s systems.

Spirit told SecurityWeek that the hacker actually attempted to extort the company using emails and passwords obtained previously from other sources on the Internet.

Security expert Troy Hunt, the owner of the Have I Been Pwned service, told SecurityWeek that all the email addresses he tested from the leaked data show up in, a list of nearly 600 million email address and password combinations compiled using data stolen from various online systems.

Cybercriminals have used the list for credential stuffing attacks, where attackers automatically inject username/password combinations into a website’s login page in hopes that account owners have used the same credentials on multiple online services.

Related: Hackers Target Malaysia Airlines, Threaten Data Dump

Related: United Airlines Hack Highlights Need for Improved Information Sharing

Related: Hackers Target Polish Airline LOT, Ground 1,400 Passengers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...