KLM has informed customers about a data breach at an external customer service partner, in which contact information and Flying Blue data were stolen. The airline emphasizes that “sensitive” data such as passwords and travel dates have not been affected.
Customer communications indicate that travelers who have previously contacted customer service are vulnerable to the breach. First and last names, phone numbers, email addresses, Flying Blue numbers and status, and the subject of support tickets may have been compromised.
The incident was reported to regulators by both Air France-KLM divisions. KLM reported it to the Dutch Data Protection Authority, while Air France reported it to the French privacy watchdog CNIL.
Limited to customer service platform
The data breach affected an external platform used by both KLM and Air France for customer support. “This resulted in unauthorized access to customer data,” said a KLM spokesperson. The breach was discovered by the IT security teams, who immediately took action together with the external partner.
KLM and Air France’s own systems were not affected. According to the airline, “no sensitive data such as passwords, travel details, Flying Blue miles, passport or credit card details were stolen.” However, the actual haul is enough to send convincing phishing emails, so extra caution is advised when checking your inbox.
Precautionary measures for customers
KLM advises affected customers to be extra alert to suspicious communications via email or telephone. This is not the first data breach involving the airline. In December 2023, an investigation by the Dutch public broadcaster NOS revealed how KLM flight data was accessible via SMS links due to weak security. In early 2023, there was also a data breach at Flying Blue in which customer data was stolen.