The scope of the cyberattack suffered by Air Europa is one of the most serious of all those that Spanish companies have suffered. The company was forced to notify its customers that they must cancel their credit cards, an exceptional measure and rarely seen in companies of this size. However, two days after reporting that it had already closed the breach, Air Europa continues to keep secret the most relevant details about it, such as how long it was open and how many victims it had.
elDiario.es has tried to collect this data on several occasions, without success. For now, the airline’s only official statement is a brief message that attempts to downplay the situation by hiding relevant aspects of the attack. Among them, the security breach had affected key credit card information, such as the full number, its expiration date and the CVV (the three-digit number used to authorize online purchases). Nor did he report that he had had to ask his clients to cancel them. Data that only came to light from those affected themselves, who shared the details of the message they had received.
Only official statement from Air Europa on the cyberattack
- Our Systems team confirmed the existence of a cybersecurity problem that would have affected the payment environment with which purchases are managed through the web. This fraudulent alteration of the flow in the payment process would have allowed the extraction of credit card data. There is no evidence that the leak was used to commit any fraud.
- The detection and rapid intervention of the team to apply the protocol established in our response plan has made it possible to block the security breach and prevent the leak of new data.
- We continue to analyze what happened, such as the origin of the attack or the use of the stolen information. In any case, we insist that to date there is no evidence that said data, which is not stored in our systems, has been used to commit any fraud.
- The data extracted has been exclusively those associated with the cards themselves and not with the clients. In no case have cybercriminals accessed other Air Europa databases or extracted other types of personal information from customers.
- As appropriate, the AEPD, INCIBE, AESA and the financial entities have been notified of the facts in a timely manner, as well as the affected clients, who have received an email with the recommendations to follow to minimize any incident. At this time, all our systems are functioning normally and we can guarantee the security of operations.
Company sources initially explained to this medium that they could not communicate aspects such as the number of people affected since the cybercriminals had been able to intercept data from flight purchases, not their databases, so there could be several associated purchases. to a card. However, Air Europa’s official profiles on social networks are communicating that they have already sent notification to all those affected, so those who have not received it “have nothing to worry about”, something that would indicate that the company has a a fairly approximate idea of the victims of the cyber attack.
In any case, Air Europa has not communicated the number of transactions that have been affected by the attack. Victims can be found anywhere in the world.
The gap period, key
The number of victims of the cyberattack will largely depend on the length of time the security breach was open, another aspect that Air Europa also does not reveal. This Thursday, several media outlets have published disparate information from company sources. VozPópuli assures that the hole was open “two days” and 2,000 people were affected. El Confidencial also cites Air Europa sources and states that cybercriminals have been stealing data since “last week” and that the victims number 100,000.
Neither of the two figures coincide with the data handled by elDiario.es, which has evidence of a passenger who purchased her flights on September 21 and has received notification from Air Europa to cancel her credit card. Other users on social networks have reported that their purchases were made even earlier, on September 16, and that they have also received the notification.
The mystery of CVV
In the more technical aspects of the cyberattack, there is also a big question for cybersecurity experts: how cybercriminals have managed to access the CVV of the cards. This is a key aspect, since financial and electronic commerce regulations prohibit storing this data in any way, as well as others such as the magnetic stripe on cards, for example.
If, as can be deduced from its official communication, the attack had accessed the CVVs through direct interception of purchases on its official portal, Air Europa would not have violated any regulations. However, this would mean that the airline would have suffered one of the most serious attacks of this type in history, with its charging systems controlled by cybercriminals for several weeks.
It is a type of attack known as “Magecart”. “It has its complications, but it is something that has been done against a lot of smaller websites. It’s like when they put an external card reader on the ATM’s card reader and, while the card enters and operates, you are saving its data. It is the same process,” explains cybersecurity expert Jorge Louzao.
The most serious attack of this type was suffered by British Airways in 2018. The breach was open for two weeks and resulted in the theft of credit card data of 380,000 people. At that time, the British airline reported the number of cards whose data had been stolen since its first communication of the cyberattack.
However, there is a detail that puts another possibility on the table for specialists. Air Europa was already fined in 2021 by the Spanish Data Protection Agency for, precisely, irregularly storing the CVVs of its customers. The leak, similar to the one reported this week, occurred in 2018. “I find it very difficult to believe that someone would make a mistake like that twice. There is technology to not do it, it makes no sense to save bank details,” explains Jorge Louzao.
“A serious website, an Amazon or a Netflix for example, never saves bank details. The system of these companies works with a token that is unique for each user and for each platform. This way, if those tokens are stolen, nothing happens because if they want to use them, every time they use them they would be sending money to Amazon, Netflix or the platform from which they got them,” details the specialist.
Air Europa has not responded to elDiario.es’ questions on this point either.