Topline
Air France and KLM Royal Dutch Airlines—the flagship carriers of France and the Netherlands—were the latest in a string of global carriers to be hacked since mid-June.
Key Facts
On Thursday, Air France alerted customers via email of “a recent data breach involving your personal data” whereby “a fraudster gained limited access to a third-party system that is used by Air France.”
KLM, which sent a similar breach notification to its customers, confirmed to Forbes in an email that the incident “occurred last week and it was quickly analyzed and contained.”
Some customers’ first names, frequent flyer numbers and tier levels were exposed, but credit card details, passport numbers, frequent flyer miles balances and booking information were not, according to the email to Air France customers.
A hacker group called ShinyHunters claims to be behind the attacks, and cyber experts believe this group overlaps with Scattered Spider, which was behind the WestJet, Hawaiian and Qantas breaches.
KLM sent a similar breach notification to its customers and said in a press release that it had “detected unusual activity on an external platform we use for customer service.”
Neither Air France nor KLM has disclosed which customer service platform was breached, but multiple cybersecurity authorities, including the cybersecurity software company Malwarebytes and Infosecurity magazine, have chronicled how ShinyHunters have had success targeting high-profile Salesforce customers, including Google, Cisco, Adidas and Allianz.
Why Are Airlines Being Targeted?
Airlines make good targets because they are so complex, William Wright, a Scotland-based cybersecurity expert for Closed Door Security, told Forbes. “They are massive, with loads and loads of supply chain,” he said. “It’s very obvious where the weak links are. Unfortunately for the airlines, there’s very little they can do directly, because usually it’s a third party that owns the system.”
What Is Shinyhunters?
Named after a popular practice among Pokémon players to actively seek out and try to capture “shiny Pokémon,” ShinyHunters is a well-established black-hat hacking collective responsible for several high-profile data breaches and leaks in recent years. Recent victims include Ticketmaster and the Spanish online bank Santander. ShinyHunters are thought to be affiliated with Scattered Spider, a loose community of hackers that has been credited with many high-profile cyberattacks in recent years, including the 2023 ransomware attacks on MGM Resorts and Caesars Entertainment, the British retailer Marks & Spencer and the insurance company Aflac. But it can often be difficult to attribute a cyberhack to a specific group, Wright told Forbes. “You quite often see people with specific skill sets being called into different groups. If we use Spider as an example, it’s possible one of their team has a specific set of skills with Salesforce, and therefore ShinyHunters has hired them. They will recruit from other groups when they have skill set requirements.”
Why Are Frequent Flyer Miles So Valuable To Hackers?
Loyalty programs are often poorly protected, Wright told Forbes. A second built-in vulnerability is the flexibility they offer customers in how they can spend miles or points. Air France’s Flying Blue program is typical in allowing customers to spend miles on items other than flights—including hotels, duty-free shopping and online shopping. “The main thing that any attacker wants to do is get the asset out of whatever system it’s in,” Wright said. “If they can spend the reward points on other things, then that’s the way they’ll do it. And once those points leave the airline, they are essentially untraceable.”
What We Don’t Know
If the airline hacks are part of what Infosecurity calls “an ongoing data theft campaign targeting Salesforce instances.” Many of ShinyHunters’ attacks employ voice phishing, as Google Threat Intelligence Group explained in a recent blog post: “This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.” All of this has led cybersecurity experts to believe the hacks were the work of Salesforce experts. “Typically, what you get is a collection of people who have a specific set of skills. And it may very well be the reason they’re targeting Salesforce is because the people who are behind it actually know Salesforce,” Wright speculated. “Most likely if these attackers are ever caught, we’ll probably find they used to be Salesforce developers or Salesforce administrators, or there will be some connection there.” Salesforce denied that its software is the weak link. “The Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology,” a company spokesperson told Forbes in an email. “It’s true that the Salesforce platform itself hasn’t had a vulnerability, but it’s being used maliciously. It’s that fine line between a very customizable piece of software and opening the door to misuse,” Wright said.
Surprising Fact
The hackers pulling off these huge breaches are often in their early 20s or even teens. “A lot of these groups who are not state aligned tend to be a group of younger people who are bored, have a skill set but just don’t have that moral boundary to go off and do these things,” Wright said. “They definitely have much less experience in life with consequences.”
Further Reading
These 3 Airlines Were Cyberattacked In The Last 3 Weeks—Here’s What We Know (Forbes)