Air Europa Cyberattack Exposes Customer Payment Card Information

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Spain’s third largest airline, Air Europa in an email warned customers about the theft of their payment card information, following a recent data breach incident.

‘’In accordance with this commitment, we inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data,’’ the email said. This email was sent both in Spanish and English and was shared by impacted customers on to their X (formerly Twitter) accounts.

The payment information revealed in the breach, included card numbers, expiration date, and the three-digit CVV (Card Verification Value) code. The Mallorca-based airline urged customers to cancel the payment system (credit/debit card) used for booking on its website.

It warned customers about the possible attempts of fraud and card spoofing. Thus, advising them to not share their personal information, pin, or any other sensitive data over phone, email, or messages and to be vigilant about any fraudulent transaction involving their bank cards.

The email did not reveal any details about the incident, like the date of breach, number of impacted customers, or when was it first detected by Air Europa. However, the airline did state that no other personal information was accessed by the threat actors, and it had taken the necessary remediation measures to prevent similar security breaches in the future.

It had secured its systems and informed the relevant authorities, like (Spanish Data Protection Agency (AEPD), The Spanish National Cybersecurity Institute (INCIBE), banks, etc.). ‘’From the first moment we have put all our resources to contain the incident, adopting all the necessary technical and organizational measures,’’ the email said.

This is not the first time that the airline has suffered such a mishap. In 2021, it was fined €600,000 by the Spanish Data Protection agency for failing to notify the authorities and customers about a data breach involving customers’ financial and contact information.

Flagstar Bank Data Breach Affects Over 800K Customers

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In a recent notification, Michigan-based Flagstar Bank warned its customers about the exposure of their personal information due to a breach suffered by its third-party service provider.

With total assets of over $31 billion and more than 150 branches across several US states, Flagstar Bank was one of the largest financial services provider in the country, before its acquisition in 2022.

According to the issued notification, the bank suffered an indirect breach which led the hackers to access sensitive information of around 837,390 customers. Fiserv, a vendor which Flagstar uses for payment processing and mobile banking services, was impacted by the infamous Cl0P MOVEit Transfer attack.

The attack which occurred in May 2023, involved the MOVEit file transfer software, wherein unknown hackers had exploited a zero-day vulnerability to breach thousands of organizations worldwide to steal data.

Fiserv, which was also one of the targeted organizations, saw its system and files being accessed by unauthorized threat actors. ‘’During that time, unauthorized actors obtained our vendor files transferred via MOVEit. These files included Flagstar Bank and related institution customer information, including yours,’’ the notification revealed.

The type of stolen information was not disclosed by Flagstar in the notification. However, according to the information available on the Maine Attorney General office portal , the stolen data included names, other personal identifiers, and Social Security Number (SSNs).

The bank however confirmed that none of its internal system or customer service was impacted by the breach. It also revealed the remediation steps taken to prevent such incidents in future, including deploying necessary security measures, informing relevant authorities, and offering free identity monitoring service to impacted customers for two years.

This is the third time that Flagstar has suffered a data breach since March 2021. Earlier, in June 2022, it had disclosed a data breach of its corporate network, impacting nearly 1.5 million of its customers.