KLM, Air France passenger data was improperly secured, and vulnerable to data theft

A large amount of personal data belonging to airline passengers who flew on KLM and Air France was not properly secured, and was somewhat readily available for theft, according to NOS and information technology security researcher Benjamin Broersma. The security hole was fixed soon after the broadcaster contacted the Dutch airline. It was not immediately clear if any passengers were affected by a data breach.

The private data that was available included e-mail addresses, telephone numbers, and passport information, the broadcaster reported. The security researcher also alleged that unauthorized users were also able to edit or delete passenger passport information, and relevant data related to travel visas.

The issue was discovered in the shortened URL sent from KLM to passengers via text message. Because the links are shortened down to just six characters, they were less unique, and thus, less secure.

As a result, they were accessible to any random hacker who wanted to test hyperlinks on a wide scale. This type of cyberattack could be carried out by an individual or collective creating a script to automatically scrape data by testing one link after another. As the data was visible to anyone, regardless if they were logged in, the personal information could be collected without actually attacking the security infrastructure.

A brief test by NOS and Broersma uncovered 900 records with valid passenger data in a matter of hours. “There were actually two things that went wrong: the [URL] codes were too short, and there were too many working codes,” said Broersma.

KLM claimed their security staff noticed the suspicious activity caused by the NOS test, and began taking steps to fix the problem before they were contacted. After the broadcaster contacted the airline, the airline said, “Our IT department has immediately taken the necessary measures to resolve this.” This response was written and submitted to NOS on Friday afternoon. “Anyone who now clicks on the link must first log in to the My Travel environment of the KLM or Air France websites. The situation is therefore safe and normal again.”

Regardless, it was not clear if any passengers were affected by the security hole before it was repaired, and determining that could be difficult in hindsight. KLM would not say how many passengers could potentially have had their data stolen, or if they were aware of any data actually taken in a theft. “As previously indicated, we take the privacy of our passengers seriously and implement a very advanced security policy,” the company told NOS.

Someone was caught napping at KLM, said former intelligence service leader Bert Hubert. “Six characters is just not enough. They could have made it eight or nine.” The seemingly small change would actually make a big difference, as six characters means a total of about 57 billion permutations, but increasing that to eight characters boosts the total to over 200 trillion. Such a change would have strongly reduced the chance of randomly finding a valid short URL.