On Wednesday, Air France and KLM announced a breach of a customer service platform, compromising the personal data of an undisclosed number of customers. The breach highlights the increasing cybersecurity challenges faced by the aviation industry. Air France–KLM Group, the company founded in 2004, is a multinational airline holding company with a French–Dutch core. It is known as one of the largest airline holding companies in the world.
The two carriers, along with Transavia, operate under it.
During the year 2024, the airline company could transport 98 million passengers worldwide through its fleet of 564 aircraft, a workforce of 78,000 employees, and a network that extended to 300 destinations in 90 countries. As a result of this incident, customers as well as the industry as a whole should be concerned.
There was a report of a breach at an airline group's external customer service platform which gave attackers access to sensitive information, including customer names, contact information, frequent flyer records, and recent transaction history, by accessing an external customer service platform. Although Air France and KLM emphasised that no internal systems or financial data had been compromised, they also confirmed that they were taking immediate steps to prevent any further unauthorised access to their systems.
Security analysts note that the incident appears to have echoes of the ShinyHunters cybercrime group, an organisation notorious for exploiting platforms like Salesforce through phishing and social engineering campaigns. Regulatory authorities in France and the Netherlands have been notified, and affected passengers have been notified directly.
There have been several breaches that have impacted major global brands over the year, including Google, Adidas, and many luxury fashion houses, and the group has previously been linked to many such breaches.
There has been no confirmation by the airline group whether Salesforce was involved in this attack, but the techniques and the timing of the attack appear consistent with the group's activities.
Recently, such threats have risen to a large extent, including WestJet and Hawaiian Airlines, which experienced similar breaches in the past few months. These developments have led to the recommendation that customers remain vigilant against possible phishing attacks in light of the recent developments, while industry experts suggest that third-party platforms should be audited rigorously, access controls should be enhanced, and strong cybersecurity frameworks should be implemented in order to protect against future threats.
Interestingly, the breach bears striking similarities to one disclosed by the Australian carrier Qantas in July, which also involved the compromise of a third-party customer service platform. In that case, hackers were able to gain access to personal information, including the names, dates of birth, e-mail addresses, telephone numbers, and frequent flyer membership numbers of customers.
It has come to our attention that the attackers had also gotten residential and business addresses as well as hotel delivery addresses associated with lost baggage, and in a few cases, even the meal preferences of passengers, according to a subsequent investigation. According to Qantas, approximately six million people were affected by this attack.
There is a rise in fraudulent activity that has been targeting the airline's customers, urging passengers to be vigilant against communications from individuals impersonating the airline in the future. According to security sources, the breach is part of a larger wave of attacks attributed to ShinyHunters, a threat actor known for exploiting Salesforce environments through vishing and social engineering techniques, which has been linked to numerous attacks over the years.
The campaign has also hurt several high-profile organisations, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and most recently, Google, which has been among the organisations affected. An Air France–KLM spokesman declined to provide further details, citing the ongoing investigation, when asked whether the breach involved a compromised Salesforce instance or how many individuals were affected.
Several other aviation-related breaches have been linked to the Scattered Spider hacker collective, which has recently turned its attention to targeting airlines and transportation businesses, including this incident. In the past, the Scattered Spider group had attacked insurance companies and retail firms, but in recent months it has been compromising carriers such as WestJet and Hawaiian Airlines. In response to the incident, KLM informed the Dutch Data Protection Authority of the breach, whereas Air France informed the French Data Protection Authority of the breach.
There is a direct message being sent by both carriers to all of their customers about the compromise, and they are encouraging them to be vigilant against any emails or phone calls that could be influenced by the compromise. Air France–KLM Group, the parent company of the airlines, along with Transavia, operates as a multinational carrier established in 2004.
Air France–KLM employs approximately 78,000 people and transports millions of passengers every year, all across the globe.
There has been no confirmation regarding who perpetrated the breach, however cybersecurity analysts have suggested that it may have been connected to a group called ShinyHunters that have previously infiltrated Salesforce environments to steal data from major brands like Chanel, Tiffany & Co., and Dior to steal their data.
A cybersecurity expert at Immersive, Ben McCarthy, commented on the possible link between the two systems by explaining that campaigns targeting SaaS platforms like Salesforce underscore how much threat actors value these systems, since a single breach could lead to the access of the data of multiple organisations. This incident is a stark reminder of the security risks inherent in the increasingly complex digital ecosystem, which airlines are increasingly relying on.
A growing number of carriers are using interconnected platforms and third-party services to enhance customer experiences, but they are also increasing the attack surface that is available to threat actors. It is well known that to protect such large networks, not just advanced technical safeguards are needed, but also continuous collaboration is needed between aviation companies, regulators, and cybersecurity experts.
A number of attacks have demonstrated both persistence and adaptability, so the industry faces a growing need to anticipate threats rather than merely reacting to them. Passengers have a crucial line of defence in the form of heightened awareness, as even the most sophisticated security systems can be compromised by a single successful phishing attack or a manipulated interaction with customers.
The latest breach in the ever-evolving landscape of cyber threats illustrates what is now becoming a growing reality, which is that trust and security are now equally as essential to the journey as the aircraft themselves, especially in the field of aviation.
