• 

  Jost Shelvis

  Technical Editor

Private data of KLM customers, including phone numbers, email addresses and in some cases passport data, can easily be obtained by unauthorized persons. This is clear from research conducted by NOS. The data breach also affected customers of sister company Air France.

An automated script facilitated data acquisition scrape: This means that information can be downloaded without having to actually bypass security. Within a few hours, NOS and security researcher Benjamin Broersma together found more than 900 working links that often displayed private data in addition to flight information.

Cybercriminals can use this information to issue fake travel documents, if passport details already exist. But it is also possible for the email address and phone number to be misused, for example, in highly targeted phishing scams against KLM customers.

There was also the ability to edit and delete passport and visa information; NOS has not tested whether this can be successful. KLM does not want to say whether this is possible.

The error was in the hyperlink containing flight information that KLM customers received via text message. These were additional short links of six characters, so they could easily be placed in a text message. However, it turned out to be so short that it wasn’t unique enough. A malicious party may attempt to view links extensively; For every 100 to 200 addresses entered automatically, one address was valid.

“There were actually two errors: the codes were too short, and there were too many working codes,” Broersma says.

KLM resolved the issue within a few hours after being informed by NOS on Friday afternoon. “Our IT department immediately took the necessary measures to resolve this issue,” the company said in a written statement. “Anyone who now clicks on the link must first log in to the My Travel environment of the KLM or Air France website. So the situation is safe and normal again.”

The company does not want to determine how many customers were vulnerable to the leak. However, the fact that every 100 to 200 attempts resulted in a valid link means that many more customers’ journey links must be accessible. Not all flight information links contain private information; NOS has not been able to verify how many times this has happened.

KLM says it does not want to respond to this “hypothetical account”. “As we noted previously, we take the privacy of our passengers seriously and implement a very advanced security policy,” the company said.

“A forward-looking security policy apparently means you have a half-percent chance of success,” says security expert Bert Hubert, who supervised the intelligence services until last year.

According to Hubert, “someone was asleep” at KLM. “Six letters are not enough, they could have been eight or nine.” The difference between six or eight letters makes a big difference in guessing: with six letters in this case there are 57 billion combinations, with eight letters over 200 trillion.

It is not known whether the vulnerability has been exploited or not. KLM notes that the system has already raised the alarm due to the “large amount of suspicious activity” resulting from the NOS and Broersma investigations. The company has since said, “A team is taking the necessary security measures. This indicates that the system is working and it was not possible to access it elsewhere.”

“But the fact that they saw you doesn’t say anything about what other people did,” says Jaap Henk Hopman, senior lecturer in computer security at Radboud University. NOS has made no effort to stay under the radar. Malicious parties can do this, for example by changing IP addresses every few seconds. Furthermore, in this case, it took more than five hours before KLM blocked the IP addresses from which the suspicious activity came.

It’s often difficult to then determine whether there’s been abuse, says privacy consultant Floor Terra of the Privacy Company. “But sometimes companies can do it very well. It is often difficult for the outside world to appreciate that.” In Terra’s experience, companies aren’t always honest about this.

KLM does not want to explain how it can rule out any further misuse of the leak. “We cannot share details of our safety policy and measures with you.”