Air France-KLM claims cyberattack stopped in time – experts aren’t convinced


Air France-KLM, a French-Dutch airline company, has informed its Flying Blue program customers that their personal information was exposed after their accounts were breached in a hack.

"Our security operations teams have detected suspicious behavior by an unauthorized entity in relation to your account. We have immediately implemented corrective action to prevent further exposure of your data," notifications sent to affected customers said.

Air France-KLM also said its infosecurity department was taking action to “prevent any suspicious activity” with regard to customers’ accounts.

KLM’s official Twitter account also confirmed the attack, telling a customer that the breach had been stopped in time and that “no miles were charged”, in reference to frequent flier discounts on future flight bookings that the hackers could have potentially misused to their own benefit. The company also recommended that customers change their Flying Blue password.

france-letter
Air France-KLM\s notification about a breach. Image by Cybernews.

Not all fellow Twitter users posting on the thread were convinced by KLM’s explanation. Troy Hunt, an Australian web security consultant who runs data-breach search website Have I Been Pwned, doesn’t seem to believe the cyberattack was stopped in its tracks.

“Listing a bunch of exposed data and inviting people to change their password doesn’t sound like ‘blocked in time’,” Hunt said on Twitter.

List of woe

Although the firm says that the incident did not expose customer credit card or payment information, the list of potentially compromised data is a long one. It includes names, email addresses, phone numbers, Flying Blue earned miles balance, and latest transactions.

However, analysts have pointed out that victim addresses were not on the list: strange, considering users have to fill in this data field when they create a Flying Blue profile.

Flying Blue is a loyalty program allowing clients of multiple airlines, including Air France, KLM, Transavia, Aircalin, Kenya Airways, and TAROM, to exchange loyalty points for various rewards.

Leaks of customer-related data hit quite a few airlines in 2022. In September, Portugal’s TAP airline said threat actors stole – and published – customer names, nationalities, dates of birth, addresses, emails, and other personally identifiable information.

Just a few days earlier, American Airlines also announced a data breach that revealed private information of customers. The breach took place in July 2022 via employee email compromise, when an intruder accessed the email accounts of some staff members.