Air France and KLM Disclose Data Breach Involving Third-Party Platform

Air France and KLM have begun notifying customers about a data breach involving unauthorized access to a third-party customer service platform. While the airlines are part of the same airline group, the incident appears to affect customers of both carriers.

What Happened?

According to statements from the companies, threat actors gained access to a platform used to manage customer service interactions. The breached data includes:

• First and last names

• Contact information

• Email subject lines related to service requests

• Flying Blue loyalty program numbers

The airlines have emphasized that sensitive information such as passwords, passport details, payment information, flight data, and Flying Blue miles was not accessed.

Response and Recommendations

Air France and KLM have reported the breach to data protection authorities in France and the Netherlands. In addition, affected customers have been advised to remain vigilant against phishing emails and phone scams that may attempt to exploit the exposed data.

Although the compromised information may seem limited, cybercriminals can use it to craft convincing phishing messages, impersonate airline communications, or conduct social engineering attacks aimed at account takeover.

Link to Broader Threat Campaign

This breach may be part of a broader cybercrime campaign targeting customer relationship management (CRM) systems, particularly Salesforce instances. Security researchers have observed similar breaches at major companies—including Google, Cisco, Adidas, Allianz Life, Dior, and Louis Vuitton—with threat actors stealing customer data via social engineering rather than exploiting software vulnerabilities.

A hacking group known as ShinyHunters has claimed responsibility for some of these breaches. There are also indications that ShinyHunters may be collaborating with or merging with the Scattered Spider group, a known threat actor with a history of targeting large enterprises.

Notably, cybersecurity analysts had recently issued warnings that Scattered Spider had begun focusing on the airline sector, making the timing of the Air France and KLM incident particularly concerning.

No Vulnerability in Vendor Systems

It is important to highlight that these breaches do not appear to stem from vulnerabilities in the CRM vendor systems themselves. Instead, attackers use phishing and impersonation tactics to gain access to individual corporate accounts and CRM portals.

Takeaways for Consumers and Organizations

• For customers: Be cautious of any unexpected emails or calls, especially those requesting sensitive information or login credentials.

• For organizations: Strengthen user training to detect phishing attempts, implement phishing-resistant multi-factor authentication, and monitor third-party platform access carefully.

This incident underscores the need for robust third-party risk management and awareness of evolving phishing tactics targeting CRM systems across industries.