Flying Blue, Air France-KLM’s frequent flyer program, has confirmed in emails to some members that it’s fallen victim to a data breach. Emails from the airline to customers advises them that their accounts have been locked as a precaution and that they’ll need to change their passwords to regain access.

Air France-KLM Flying Blue User Accounts Compromised

Air France-KLM has been hacked with the private data of Flying Blue members compromised. The hack has been widely reported on by media in both France and the Netherlands.

According to the message sent by the airline to some Flying Blue members, it appears that customers’ first and last names, phone number, email address, and recent transaction history have been compromised by hackers. Flying Blue program data may also have been accessed by the hackers including Flying Blue numbers, frequent flyer status level, and miles balance.

The airline states that no credit card and/or payment information was exposed during the incident. However, in a statement, the company acknowledged that “Flying Blue customer data were accessed.” Reports indicate that relevant data protection authorities in both the Netherlands and France, as well as all customers concerned. Beyond those admissions, it is not clear how widespread the hack was or if more information was accessed.

Flying Blue Members React

Flying Blue members have taken to social media to share the email with many criticizing the group’s handling of the data breach.

Alex “Jay” Balan, a Flying Blue member, Tweeted that the Flying Blue email looked like it itself was a phishing email but that “flyingblue-info.com” is apparently a legitimate domain owned by Air-France KLM.

Other members expressed confusion, asking how widespread the situation was.

Confusion seemed to reign at the airline group after the email went out. KLM’s official account replied to one customer promising to investigate.

More Questions Than Answers

It is unclear how the hackers managed to gain access to the frequent flyer program’s database. It’s possible that the customer accounts were accessed as a result of a credential stuffing attack. It’s worth noting that Air France-KLM does not offer customers much online security. The company does not offer two-factor authentication and imposes an outdated 12-character limit on password lengths.

Not all Flying Blue customers were notified of the hack. With the lack of communciation, it’s unclear what the actual extent of the hack was. Were only passengers notified affected and what information was accessed?

While the email sent to customers makes it seem as though the attack was successfully foiled a large amount of personal customer information seems to have been accessed.

While the email sent to customers makes it seem as though the attack was successfully foiled a large amount of personal customer information seems to have been accessed. Meanwhile, not all Flying Blue customers were notified of the hack. With the lack of communication, it’s unclear what the actual extent of the hack was. Were only passengers notified affected? How widespread was it? What information was accessed?

If the airline successfully foiled the attack and the hack amounted to nothing, it’s unclear why locking customer accounts and requiring password changes are necessary. Air France-KLM has not responded to requests for comment.

The Upshot

Air France-KLM’s frequent flyer program, Flying Blue, has confirmed a data breach in emails to some members. Emails from the airline to customers advise them that their accounts have been locked as a precaution and that they’ll need to change their passwords to regain access. It’s unclear how widespread the hack was. The airline claims that only a limited amount of information was accessed but little further information has been provided.