Air Europa reports breached credit card payment system

The Spanish airline company Air Europa announced that it experienced a cybersecurity incident directly affecting its online payment gateway. This breach led to unauthorized access to some of its customers' credit card details.

In response to this event, Air Europa sent out email notifications to the customers whose credit card information was potentially exposed. Simultaneously, the airline reported the breach to the appropriate financial institutions to ensure precautionary measures could be taken on their end.

The credit card details exposed in the breach include card numbers, expiration dates, and the 3-digit CVV (Card Verification Value) code on the back of the payment cards.

Air Europa warned customers  to cancel their cards used on the airline's website due to "the risk of card spoofing and fraud" and "to prevent possible fraudulent use."

While the airline has confirmed the data exposure, they did not provide specific numbers regarding the total customers impacted or provide an estimate of the possible financial implications the breach might have on their operations.

In an attempt to reassure its stakeholders, Air Europa emphasized that the breach was restricted solely to credit card details and no other personal or sensitive information of its customers was accessed. Furthermore, the airline highlighted that, as of their current findings, there isn't any concrete evidence to suggest that the exposed credit card data has been used for fraudulent transactions or misused in any other way.

Update - as of 22nd March 2024, International Airlines Group (IAG) - the owner of Air Europa sent an email to Air Europa's customers informing them that the data breach exposed personal details:

• identity cards or passport information,
• names,
• birthdays,
• phone numbers and nationalities of customers.

IAG claims there was no evidence of fraudulent use of the data.