KLM Royal Dutch Airlines and Air France have confirmed a data breach. Customer information was accessed through an external provider. This impacts people who contacted their customer service.
The Breach: What We Know
KLM spotted strange activity on a system used by their contact centers. This system was run by an outside company. KLM’s security team and the provider moved fast to stop it. Air France is also checking its own customer data for similar issues. Both airlines are part of the Air France-KLM group.
Their main internal systems weren’t hacked. The problem was with the outside company’s platform.
Information Exposed
The hackers got hold of:
- First and last names
- Email addresses and phone numbers
- Flying Blue membership numbers
- Flying Blue status levels (like Silver, Gold)
- Subject lines from emails sent to customer service
Information NOT Stolen
The airlines stressed that sensitive details weren’t taken. This includes:
- Passport numbers
- Credit or debit card info
- Account passwords
- Flying Blue mile balances
- Specific travel dates or booking records
Who’s Affected & Reporting
Customers who interacted with KLM or Air France customer service are mainly affected. Flying Blue members got emails about it. KLM hasn’t said exactly how many people are involved. They reported it to the Dutch data watchdog. Air France told the French regulator (CNIL).
Why Third-Parties Are a Risk
This hack shows the danger of relying on outside companies. KLM and Air France’s own systems were secure, but hackers got in via the customer service provider. The provider hasn’t been named.
What This Means for Customers
No money was stolen directly. But the exposed info is risky:
- Phishing Scams: Expect fake emails or texts that look real. They might use your name, Flying Blue number, or reference a past service issue.
- Tricky Phone Calls: Scammers might call, using your details to sound legit. They could ask for more info or payments.
- Urgent Fake Alerts: Watch for messages about ‘cancelled flights’ needing ‘immediate action’ or fake refund offers tied to your Flying Blue status.
KLM told customers: “Be careful with emails or calls mentioning your Flying Blue details.” They said to distrust messages demanding quick action or extra information.
The Airlines’ Response
KLM stated: “Our teams and the third-party provider took steps fast. We fixed it and made things stronger to stop it happening again.” Barry ter Voert, KLM’s Chief Experience Officer, apologized: “We know this worries you. We’re sorry for the trouble.”
Affected customers should use official channels to check suspicious messages. Credit monitoring hasn’t been offered publicly yet.
Expert Advice
Cunningham advised victims: “Change your usernames and passwords now. Turn on multi-factor authentication (MFA) if you can. Use any credit monitoring they offer.” He pushed KLM hard: “If they don’t offer MFA, they need to add it. It’s basic security.”
Not the First Time
KLM has had other security slips:
- December 2023: A flaw in their SMS system might have exposed flight info.
- Early 2023: Another Flying Blue breach leaked customer data.
This shows ongoing security headaches in aviation, especially with customer data and outside partners.
Regulations & Disclosure
Cunningham noted EU rules require reporting some breaches to regulators. “But,” he said, “those reports don’t always go public.” So other similar breaches might happen quietly.
The Scale
This hits two huge European airlines. KLM has about 200 planes, made over $14.5 billion last year, and employs 36,000+. Air France has 38,000 staff and nearly $19 billion revenue. Flying Blue has millions of members worldwide.
