KLM, Air France latest major organizations looted for customer data
(2025/08/07)
- Reference: 1754571614
- News link: https://www.theregister.co.uk/2025/08/07/klm_air_france_latest_major/
- Source link:
European airline giants Air France and KLM say they are the latest in a string of major organizations to have their customers' data stolen by way of a break-in at a third party org.
Turbulence at Air Serbia, the latest airline under cyber siege [1]READ MORE
The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data.
"Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the [2]statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.
"No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen."
The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.
[3]
However, [4]customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.
[5]
[6]
KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively.
The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity.
[7]
"We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you."
The Register approached the companies for additional information but they did not comment beyond the public statement.
The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.
[8]
In recent weeks, luxury retailers [9]Dior , [10]Chanel , and [11]Pandora all reported similar leaks at third party providers, as did [12]Google , [13]Qantas , and [14]Allianz .
All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.
None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on [15]Snowflake customers.
[16]Majority of 1.4M customers caught in Allianz Life data heist
[17]GPS on the fritz? Britain and France plot a backup plan
[18]Emirates dinged for slipshod online data privacy practices
[19]Boolean bafflement at British Airways' Executive Club: Sneaky little Avioses - Wicked, Tricksy, False!
Scattered Spider also [20]changed its focus toward airlines earlier this year, and some researchers said it could be behind [21]the attack on Hawaiian Airlines in June.
Check Point [22]said last month that the attacks on Qantas and [23]WestJet , which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions. ®
Get our [24]Tech Resources
[1] https://www.theregister.com/2025/07/16/air_serbia_cyberattack/
[2] https://nieuws.klm.com/klm-informeert-klanten-over-incident-met-persoonsgegevens/#
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://x.com/troyhunt/status/1953181019726856661
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/07/24/eau_no_dior_tells_customers/
[10] https://x.com/Ransom_DB/status/1952589194557116595
[11] https://www.forbes.com/sites/daveywinder/2025/08/05/pandora-confirms-cyberattackwhat-you-need-to-know/
[12] https://www.theregister.com/2025/08/06/google_salesforce_attacks/
[13] https://www.theregister.com/2025/07/09/qantas_begins_telling_customers_data/
[14] https://www.theregister.com/2025/07/28/allianz_life_data_breach/
[15] https://www.theregister.com/2025/05/15/snowflake_ciso_interview/
[16] https://www.theregister.com/2025/07/28/allianz_life_data_breach/
[17] https://www.theregister.com/2025/07/14/britain_france_navigation_alternatives/
[18] https://www.theregister.com/2018/03/05/emirates_dinged_for_slipshod_privacy_practices/
[19] https://www.theregister.com/2020/07/08/bork/
[20] https://www.theregister.com/2025/06/30/scattered_spider_aviation/
[21] https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
[22] https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
[23] https://www.theregister.com/2025/06/16/westjet_cybersecurity_snafu/
[24] https://whitepapers.theregister.com/
Turbulence at Air Serbia, the latest airline under cyber siege [1]READ MORE
The airlines, which share a parent company, Air France-KLM Group, said in a joint statement that they "detected unusual activity on an external platform we use for customer service," which led to attackers accessing customer data.
"Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access," the [2]statement read. "Measures have also been implemented to prevent recurrence. Internal Air France and KLM systems were not affected.
"No sensitive data such as passwords, travel details, Flying Blue miles, passport, or credit card information was stolen."
The airlines did not publicly specify the types of data that were stolen, but the exclusion of sensitive data suggests basic personal information was involved.
[3]
However, [4]customer notifications circulating online noted that first and family names, along with contact details, Flying Blue numbers and tier levels, and the subject lines of service request emails were accessed.
[5]
[6]
KLM and Air France advised customers to be on heightened alert for phishing attempts. Both said they had referred themselves to the Dutch and French data protection authorities, respectively.
The customer notice from Barry ter Voert, chief experience officer at KLM, read: "We recommend staying alert when receiving messages or other communication using your personal information, and to be cautious of any suspicious activity. The data involved in this breach could be used to make phishing messages appear more credible. If you receive unexpected messages or phone calls, especially asking for personal information or urging you to take action, please check their authenticity.
[7]
"We understand the concern this may cause, and we deeply regret any inconvenience this may have caused you."
The Register approached the companies for additional information but they did not comment beyond the public statement.
The attack marks the latest in a string of data lapses at major organizations that also blamed a third party.
[8]
In recent weeks, luxury retailers [9]Dior , [10]Chanel , and [11]Pandora all reported similar leaks at third party providers, as did [12]Google , [13]Qantas , and [14]Allianz .
All of the above declined to identify the third party in question except for Google, which said this week that one of its Salesforce instances was raided.
None of the victims have attributed their attacks to any group – yet – but the prime suspect behind all of these intrusions is the ShinyHunters cybercrime crew, which is perhaps best known for its role in last year's attacks on [15]Snowflake customers.
[16]Majority of 1.4M customers caught in Allianz Life data heist
[17]GPS on the fritz? Britain and France plot a backup plan
[18]Emirates dinged for slipshod online data privacy practices
[19]Boolean bafflement at British Airways' Executive Club: Sneaky little Avioses - Wicked, Tricksy, False!
Scattered Spider also [20]changed its focus toward airlines earlier this year, and some researchers said it could be behind [21]the attack on Hawaiian Airlines in June.
Check Point [22]said last month that the attacks on Qantas and [23]WestJet , which all occurred within three weeks of one another, bore hints of Scattered Spider's involvement, mainly due to the tradecraft that led to the intrusions. ®
Get our [24]Tech Resources
[1] https://www.theregister.com/2025/07/16/air_serbia_cyberattack/
[2] https://nieuws.klm.com/klm-informeert-klanten-over-incident-met-persoonsgegevens/#
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://x.com/troyhunt/status/1953181019726856661
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJTNlNyrcYQB0dTHxTeZ8wAAAIs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/07/24/eau_no_dior_tells_customers/
[10] https://x.com/Ransom_DB/status/1952589194557116595
[11] https://www.forbes.com/sites/daveywinder/2025/08/05/pandora-confirms-cyberattackwhat-you-need-to-know/
[12] https://www.theregister.com/2025/08/06/google_salesforce_attacks/
[13] https://www.theregister.com/2025/07/09/qantas_begins_telling_customers_data/
[14] https://www.theregister.com/2025/07/28/allianz_life_data_breach/
[15] https://www.theregister.com/2025/05/15/snowflake_ciso_interview/
[16] https://www.theregister.com/2025/07/28/allianz_life_data_breach/
[17] https://www.theregister.com/2025/07/14/britain_france_navigation_alternatives/
[18] https://www.theregister.com/2018/03/05/emirates_dinged_for_slipshod_privacy_practices/
[19] https://www.theregister.com/2020/07/08/bork/
[20] https://www.theregister.com/2025/06/30/scattered_spider_aviation/
[21] https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
[22] https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
[23] https://www.theregister.com/2025/06/16/westjet_cybersecurity_snafu/
[24] https://whitepapers.theregister.com/
Another 3rd party supplier
Data ripped from another 3rd party supplier.
You have to wonder just how many insecure 3rd party companies have your personal data (including financial data) are out there and what the responsibilities are of the companies who you bought the original service from.
Seem to me that it's always a case of passing the buck.