Despite KLM's rapid response, the question remains whether the leak has been exploited before.
KLM and Air France customers should be shocked because research shows that their private data, including telephone numbers, email addresses and sometimes passport details, may have been accessible to unauthorized persons. This problem came to light through research by the NOS, in collaboration with security researcher Benjamin Broersma.
The leak was discovered in the flight information hyperlinks sent to customers. These links, consisting of only six characters, were not unique enough, allowing malicious actors to successfully access sensitive information with automated scripts. The researchers found more than 900 working links, many of which exposed customers' private data.
This data exposure posed a serious risk. Criminals could potentially use this information to create fake travel documents or conduct targeted phishing attacks. In addition, there was the option to edit or delete passport and visa information. Although NOS has not tested this, and KLM has not made any statements about its feasibility, the potential for abuse remains worrying.
dissolved
KLM responded quickly to the NOS report and resolved the problem within a few hours. Customers now must first log in to the My Travel environment of the website before they can access the flight information. This has significantly reduced the safety risk. Although KLM indicates that their systems raised the alarm due to the large amount of suspicious activity during the investigation, the question remains open whether the leak has been exploited before.
The data breach was identified by NOS and security researcher Benjamin Broersma.
Privacy experts and security specialists point out the possible risks and the need for companies to be more transparent about such incidents. The KLM data breach, which also affected sister airline Air France, was a significant security issue in which customers' personal data was accessible to unauthorized parties. The core of the problem lay in the way KLM provided flight information to customers via SMS, using hyperlinks with only six characters. This limited length made the links predictable and therefore vulnerable to automated scraping attacks.
Benjamin Broersma, who was involved in the discovery, noted: “There were actually two things going wrong: the codes were too short, and there were too many working codes.” This indicates a fundamental weakness in the security of the link structure used by KLM. After the NOS report, KLM responded quickly and resolved the problem within a few hours. In a written statement, the company said: “Our IT department immediately took the necessary steps to resolve this.” Customers now have to log in to the My Travel environment of the KLM or Air France website to view their flight information, which has significantly increased security.
Security expert Bert Hubert commented on the situation: “Six characters is just not enough, they could have made it eight or nine.” He emphasized how a small difference in the length of a code can make a big difference in security. Despite KLM's rapid response, the question remains whether the leak has been exploited before. Jaap-Henk Hoepman, senior lecturer in computer security at Radboud University, pointed out the possibility that malicious parties could use less conspicuous methods to avoid detection, such as regularly switching IP addresses.
