Skip to main content
Netherlands News in English

Main navigation

  • Top stories
  • Health
  • Crime
  • Politics
  • Business
  • Tech
  • Culture
  • Sports
  • Weird
  • 1-1-2
Image
Passengers line up for security screening behind the KLM logo at Schiphol Airport, 21 July 2022
Passengers line up for security screening behind the KLM logo at Schiphol Airport, 21 July 2022 - Credit: NL Times / NL Times - License: All Rights Reserved
Politics
Business
Air France - KLM Group
Benjamin Broersma
Bert Hubert
data breach
NOS
Monday, 18 December 2023 - 08:11

Share this article:

KLM, Air France passenger data was improperly secured, and vulnerable to data theft

A large amount of personal data belonging to airline passengers who flew on KLM and Air France was not properly secured, and was somewhat readily available for theft, according to NOS and information technology security researcher Benjamin Broersma. The security hole was fixed soon after the broadcaster contacted the Dutch airline. It was not immediately clear if any passengers were affected by a data breach.

The private data that was available included e-mail addresses, telephone numbers, and passport information, the broadcaster reported. The security researcher also alleged that unauthorized users were also able to edit or delete passenger passport information, and relevant data related to travel visas.

The issue was discovered in the shortened URL sent from KLM to passengers via text message. Because the links are shortened down to just six characters, they were less unique, and thus, less secure.

As a result, they were accessible to any random hacker who wanted to test hyperlinks on a wide scale. This type of cyberattack could be carried out by an individual or collective creating a script to automatically scrape data by testing one link after another. As the data was visible to anyone, regardless if they were logged in, the personal information could be collected without actually attacking the security infrastructure.

A brief test by NOS and Broersma uncovered 900 records with valid passenger data in a matter of hours. “There were actually two things that went wrong: the [URL] codes were too short, and there were too many working codes,” said Broersma.

KLM claimed their security staff noticed the suspicious activity caused by the NOS test, and began taking steps to fix the problem before they were contacted. After the broadcaster contacted the airline, the airline said, “Our IT department has immediately taken the necessary measures to resolve this.” This response was written and submitted to NOS on Friday afternoon. “Anyone who now clicks on the link must first log in to the My Travel environment of the KLM or Air France websites. The situation is therefore safe and normal again.”

Regardless, it was not clear if any passengers were affected by the security hole before it was repaired, and determining that could be difficult in hindsight. KLM would not say how many passengers could potentially have had their data stolen, or if they were aware of any data actually taken in a theft. “As previously indicated, we take the privacy of our passengers seriously and implement a very advanced security policy,” the company told NOS.

Someone was caught napping at KLM, said former intelligence service leader Bert Hubert. “Six characters is just not enough. They could have made it eight or nine.” The seemingly small change would actually make a big difference, as six characters means a total of about 57 billion permutations, but increasing that to eight characters boosts the total to over 200 trillion. Such a change would have strongly reduced the chance of randomly finding a valid short URL.

More like this

Image
Odido's headquarters building in The Hague. Undated
Voice of fake IT employee links Dutch criminals to Odido hack
Image
FIFA World Cup against the background of the flag of the Netherlands.
Nearly half of Dutch municipalities to extend opening hours for World Cup matches
Image
Odido's headquarters building in The Hague. Undated
Odido only noticed theft of 6.2 million people’s data when hackers informed them
Image
Bored students in a lecture hall
Company behind Canvas makes deal with hackers; Says stolen data was destroyed
Make NL Times your top Google source

Follow us:

Latest stories

  • Voice of fake IT employee links Dutch criminals to Odido hack
  • Fire destroys multiple holiday homes on beach in Velsen-Noord; One hurt
  • WorldPride starts with unveiling of permanent Walk of Pride monument through Amsterdam
  • Logistics worker, 39, tied to cocaine found among bananas sent to Lidl stores in May
  • Dutch government designing own sovereign data cloud

Top stories

  • Fire destroys multiple holiday homes on beach in Velsen-Noord; One hurt
  • WorldPride starts with unveiling of permanent Walk of Pride monument through Amsterdam
  • Amsterdam tech company Mews cuts 15 percent of jobs to drive AI
  • People in their 30s, 40s most frustrated by work; Third consider their job meaningless
  • Netherlands won’t increase inheritance tax, Finance Min. says despite mounting estates

© 2012-2026, NL Times, All rights reserved.

Footer menu

  • Change Privacy Settings
  • Privacy Policy
  • Contact
  • Partner Content