Air France and KLM customers’ personal details exposed via data breach

Air France and KLM Royal Dutch Airlines, the flag carriers of France and the Netherlands, have reportedly sent breach notifications to affected customers, informing them about a third-party data breach impacting their personal data.

An attacker gained access to KLM’s customer data by breaching a third-party service provider, the breach notification, shared by a Dutch tech media outlet Tweakers.com, said.

The company confirmed to Cybernews that a third-party data breach took place. Air France and KLM, part of the same holding company, are both investigating fraudulent access to their respective companies' data.

“Unusual activity was detected on a third-party platform used by our contact centres, which led our IT security team, together with the third-party system involved, to swiftly implement corrective measures to put an end to the incident,”

reads the company’s statement, sent to Cybernews via email.

“Unusual activity was detected on a third-party platform used by our contact centres, which led our IT security team, together with the third-party system involved, to swiftly implement corrective measures to put an end to the incident,” reads the company’s statement, sent to Cybernews via email.

Meanwhile, the notice claims that passport numbers, payment card details, passwords, or Flying Blue Miles – the airline’s loyalty program – balances were not exposed in the attack. However, attackers managed to get their hands on personally identifiable information such as:

• Names
• Surnames
• Contact details
• Flying Blue numbers and tier levels
• Subject lines of service request emails

The exposed data strongly points to attackers breaching KLM’s customer service partner or a similar service provider.

While it’s unclear how many people were exposed in the KLM customer data breach, those who were will face increased cybersecurity risks. For one, attackers can utilize the stolen details for identity theft, which often leads to setting up fraudulent accounts.

Cybercrooks may also leverage the data for social engineering attacks, targeting customers by impersonating airline representatives. Targeted scams often bank on customers panicking over supposedly cancelled flights or other travel-related issues.

KLM’s breach notice states that the airline has reported the incident to the Dutch Data Protection Authority. At the same time, impacted customers were advised to stay vigilant and be wary of suspicious messages.

KLM, part of Air France-KLM airline holding company, is a major player in the European air travel industry. With a fleet of nearly 200 aircraft, the company reported revenue exceeding $14.5 billion last year and reportedly employs over 36,000 people. Meanwhile, Air France boasts staff of 38,000 with a yearly revenue of nearly $19 billion.