Air France-KLM's frequent flyer program hit by hackers in data breach
Hackers managed to break into Flying Blue, the frequent flyer program used by KLM and Air France. The hackers may have gained access to members’ personal data and travel information. NL Times reviewed a message sent by Flying Blue, which stated, “Our security operations teams have detected suspicious behavior by an unauthorized entity in relation to your account.”
According to the letter, customers’ first and last names may have been accessed by hackers, as well as other private data, including their phone number, email address, and recent transaction history. Data specific to the Flying Blue program may also have been accessed, including the customers’ Flying Blue numbers, their frequent flyer status level, and miles balance.
“We have immediately implemented corrective action to prevent further exposure of your data,” the letter said. “No credit card and/or payment information was exposed.”
Air France and KLM confirmed the incident, which they called a "data breach," and acknowledged that "Flying Blue customer data were accessed." They notified the relevant data protection authorities in both the Netherlands and France, as well as all customers concerned.
However, several customers complained on social media about the airline group’s handling of the incident. Some noted that the email sent to made it seem like the airline group successfully fended off the attack when in reality, a wide range of personal information may have leaked out. Critics also pointed to the frequent flyer group’s lack of more secure login measures, such as 2FA, and a more antiquated 12-character limit to the length of passwords.
The complaints on social media also revealed that not all Flying Blue customers were notified of the hack. One customer noted on Twitter that Flying Blue’s message looked like a phishing email. “Air France-KLM, what happened, guys? If you got hacked, we should know.”
The Flying Blue program boasts 17 million members. It is the primary frequent flyer program for KLM, Air France, and Transavia, as well as Aircalin, Kenya Airways, and Tarom.
I swear I initially thought this was a phishing e-mail, but no! https://t.co/8tMjjHqbPE is a legitimate domain of theirs. @airfrance @KLM what happened, guys? If you got hacked, we should know! pic.twitter.com/myNF7kPDF6— Alex “Jay” Balan (@Jaymzu) January 6, 2023