Private details of KLM customers were easy to retrieve

A security error made it easy to retrieve personal data of KLM customers, it appears NOS research. Much of the data involved names and email addresses, but in a small number of cases it also involved passport details, including the number and expiry date – together enough to create a false document for travel. Data from customers of sister company Air France could also be viewed. KLM cannot say exactly how long, a spokesperson speaks of “some time”.

The cause of the leak turned out to be text messages that customers receive with links to, for example, their flight details, KLM confirms. The URLs in those text messages were a maximum of six characters long, which means that the number of combinations was relatively limited and therefore easy to retrieve automatically by ‘scraping’ the data.

The airline does not say exactly how many people are affected. Since every hundred to two hundred attempts in the study resulted in a valid link behind which data could be seen, the NOS estimates that this concerns “many customers”. KLM and Air France are investigating the consequences of the incident and say they have informed the Dutch Data Protection Authority about the situation “as a precaution”. Affected customers will also be notified.

Rather leak

In January this year, KLM and Air France also suffered a data breach, when it affected customers of the Flying Blue loyalty program. KLM assured that the hackers had not been able to view payment details, but they had been able to view data such as telephone numbers and e-mail addresses. According to a KLM spokesperson, unlike the current one, the cause of this hack was not their own, but customers who hacked “third-party management programs in which they can log their trips and keep track of miles.”



Reading list



ttn-32