Recently, Americans Airlines stated that the personal information of a “very small number” of employees and customers was affected by an unauthorized party’s compromise of the company’s business email accounts.

Information obtained by hackers includes driver’s license details, passport numbers, dates of birth, and medical information. Thus far, analysts do not believe that the stolen data has been misused or sold, although attackers may be waiting for a lower-profile sales opportunity.

Additional safeguards have been put in place to prevent future attacks, says the airline. The company secured breached accounts and hired a cyber security firm to assist with an investigation.

“We regret that this incident occurred and take the security of your personal information very seriously,” wrote Chief Privacy and Data Protection Officer, Russell Hubbard, in a letter to affected customers. American Airlines is offering two years of identity theft monitoring services to victims.

The commercial availability of ‘phishing kits’ means that nearly anyone can organize a phishing campaign, regardless of technical capabilities. In the modern era, phishing is a DIY activity. Take steps to prevent phishing attacks. Start with the following:

1. Educate employees. Phishing awareness training can protect your employees, customers and your business from email fraud.

2. Consider password managers. Using a password manager can help defend against brute-force accounts with weak passwords, along with credential stuffing.

3. Endpoint security. The increased use of cloud services and personal devices in the workplace have introduced new endpoints that may not be fully protected. It’s essential to monitor endpoints for security threats and to implement rapid remediation and response for compromised devices.

4. Deploy email security. Email filtering solutions can block malware, detecting malicious links, attachments, spam content and language that may indicate a phishing threat.

5. Conduct phishing simulations. Request for your IT department to send out a fake phishing email and to assess responses.

6. Limit access to high-value systems and data. Privileged user accounts are attractive to cyber criminals, as access potentially allows for lateral movement across a network

Be sure to check out this case study, from a major airline that decided to use Avanan to better secure their employees