Air France and KLM have informed Flying Blue customers that some of their personal information was exposed after their accounts were breached.
Flying Blue is a loyalty program allowing clients of multiple airlines, including Air France, KLM, Transavia, Aircalin, Kenya Airways, and TAROM, to exchange loyalty points for various rewards.
“Our security operations teams have detected suspicious behavior by an unauthorized entity in relation to your account. We have immediately implemented corrective action to prevent further exposure of your data,” notifications sent to affected customers said.
“Our Information Security department is taking actions to prevent any suspicious activity with regard to your account.”
KLM’s official Twitter account confirmed the attack and told one of the impacted customers that “the attack was blocked in time and no miles were charged.”
“I do however invite you to change your Flying Blue-password via the Flying Blue-website,” KLM said.
The list of potentially compromised data includes their names, email addresses, phone numbers, latest transactions, and Flying Blue information like their earned miles balance.
The breach alerts added that this incident did not expose customers’ credit card or payment information.
Affected customers were also warned that their accounts had been locked due to the breach and that they must go to the KLM and Air France websites to change their passwords.
Air France and KLM confirmed the data breach in a statement sent to BleepingComputer and said that customers’ sensitive data, such as passport or credit card numbers, was not exposed.
The two airlines said that they also reported the incident to their countries’ data protection authorities.
“Air France and KLM confirm a data breach whereby Flying Blue customer data were accessed. Our IT security team has implemented corrective actions to stop the incident. No sensitive data such as passport or credit card numbers were disclosed,” a spokesperson told BleepingComputer.
“Air France and KLM regret this situation. In accordance with the procedures in force, we informed the competent authorities (Autoriteit Persoonsgegevens and Commission Nationale de l’Informatique et des Libertés) of this event and notified the customers concerned.”