A data breach stemming from a third-party customer service database has affected European airlines Air France and KLM Royal Dutch Airlines.
The sister airlines are part of the Air France-KLM Group and transport more than 80 million passengers annually. The group operates over 564 aircraft flying to over 90 destinations, and employs over 78,000 people.
In a joint statement, the airlines said the data breach impacted limited customer information, and the threat actor’s access was terminated.
Air France and KLM confirm data breach from a third-party customer service system
Air France-KLM Group said it learned of the cyber intrusion after detecting “unusual activity on an external platform” it uses for customer service.
The company said it responded by engaging third-party cyber experts and its internal IT teams to terminate the threat actor’s access.
It also implemented additional security measures to prevent further exploitation and similar data breaches in the future. Air France-KLM Group also assessed that its internal IT infrastructure and computer information systems were not affected.
Additionally, the data breach did not expose sensitive customer information, such as user account login credentials, travel details, passwords, credit cards, or Flying Blue miles credits.
However, they did not specify which details were exposed, suggesting that basic personal information such as names, email addresses, and phone numbers was likely compromised.
If so, these details could allow threat actors to target impacted customers with compelling phishing lures and obtain more significant personal information, such as credit cards and Social Security Numbers.
However, Have I Been Pwned’s Troy Hunt shared a KLM data breach notification stating that the cyber intrusion leaked the customer’s first and family name, contact details, Flying Blue mile number and tier level, and the subject of service request emails.
That information is a gold mine for online fraudsters intending to carry out successful travel and frequent flyer reward scams.
Meanwhile, KLM has advised its customers to remain vigilant for potential phishing scams exploiting information stolen from the third-party customer service database. The airlines have also notified French and Dutch data protection authorities of the cyber attack.
Data breach likely attributed to ShinyHunters
Air France and KLM have not attributed the data breach to any threat actors or disclosed the number of impacted individuals or the affected third-party customer service information system.
Nevertheless, the data breach bears the hallmarks of the ShinyHunters voice phishing campaign targeting a Salesforce cloud-based customer service system that has so far impacted over a dozen companies.
Confirmed or suspected victims include Google, Chanel, Louis Vuitton, Dior, Tiffany & Co., Adidas, Allianz Life, LVMH, and the Danish jewelry maker Pandora.
Google specifically stated that it was the victim of the customer service system breach that leaked publicly available company information, such as company name and contact details.
Later, the tech colossus confirmed that impacted customers had started receiving phishing messages intended to obtain more significant personal information or potentially breach their internal systems.
The ShinyHunters cyber gang has gained notoriety for targeting cloud-based information systems, resulting in widespread supply chain data breaches.
The prolific data leaker was credited for breaching SnowFlake’s cloud platform, affecting high-profile companies such as Ticketmaster, European banking giants Santander and Deutsche Bank, American telecommunications giant AT&T, and teen fashion retailer Hot Topic.
“This breach at Air France-KLM is an example of modern supply chain risk,” stated Ben McCarthy, Lead Cyber Security Engineer at Immersive. “Attackers are increasingly targeting smaller, third-party vendors because they are often the path of least resistance into a major corporation’s network or data.
“For a global company, its security is only as strong as the weakest link in its digital supply chain; some organizations will have 1000s of supply chain companies that all access certain bits of data,” added McCarthy.
While the ShinyHunters threat group is the most likely culprit, another amorphous ransomware group, Scattered Spider, has applied similar tactics to breach organizations.
It has previously targeted various airlines, including Australia’s Qantas Airlines, Hawaiian Airlines, American GlobalX, Canadian WestJet, and Russian Aeroflot.
According to Google, the group’s social engineering tactics are very effective and even capable of bypassing the most mature security programs. Its social engineering campaign also pivots from the organization’s network to the VMware ESXi environments, to entirely taking over the hypervisor.
“If this attack is indeed linked to the broader campaign targeting Salesforce instances, it highlights how threat actors like ShinyHunters and Scattered Spider are focusing their efforts,” added McCarthy. “They understand that SaaS platforms like Salesforce hold so much valuable customer data and one breach into a supply chain company can mean access to many different organizations.”
Meanwhile, no threat actor has claimed responsibility for the Air France and KLM data breach, and the sister companies have yet to disclose that information due to an ongoing investigation.
