Airline travel is often associated with a sense of security and convenience, but in recent months, several major carriers have fallen victim to cyberattacks. The latest incidents involve two prominent European airlines: Air France and KLM Royal Dutch Airlines.
On Thursday, Air France alerted customers via email of “a recent data breach involving your personal data” whereby “a fraudster gained limited access to a third-party system that is used by Air France.”
KLM, which sent a similar breach notification to its customers, confirmed to Forbes in an email that the incident “occurred last week and it was quickly analyzed and contained.” Some customers’ first names, frequent flyer numbers and tier levels were exposed, but credit card details, passport numbers, frequent flyer miles balances and booking information were not, according to the email to Air France customers.
A hacker group called ShinyHunters claims to be behind the attacks, and cyber experts believe this group overlaps with Scattered Spider, which was behind the WestJet, Hawaiian and Qantas breaches.
“Airlines make good targets because they are so complex,” said William Wright, a Scotland-based cybersecurity expert for Closed Door Security. “They are massive, with loads and loads of supply chain.”
Airlines are particularly vulnerable to cyberattacks due to their complexity and reliance on third-party systems. This can make it difficult for them to detect and prevent breaches.
Named after a popular practice among Pokémon players to actively seek out and try to capture “shiny Pokémon,” ShinyHunters is a well-established black-hat hacking collective responsible for several high-profile data breaches and leaks in recent years. Recent victims include Ticketmaster and the Spanish online bank Santander.
ShinyHunters are thought to be affiliated with Scattered Spider, a loose community of hackers that has been credited with many high-profile cyberattacks in recent years, including the 2023 ransomware attacks on MGM Resorts and Caesars Entertainment, the British retailer Marks & Spencer and the insurance company Aflac.
However, it can often be difficult to attribute a cyberhack to a specific group. Wright told Forbes that “you quite often see people with specific skill sets being called into different groups. If we use Spider as an example, it’s possible one of their team has a specific set of skills with Salesforce, and therefore ShinyHunters has hired them.”
Wright also explained that loyalty programs are often poorly protected, making them attractive targets for hackers. “The main thing that any attacker wants to do is get the asset out of whatever system it's in,” Wright said. “If they can spend the reward points on other things, then that's the way they'll do it. And once those points leave the airline, they are essentially untraceable.”
Wright speculated that the hacks were the work of Salesforce experts, who have a deep understanding of the platform and its capabilities. “Typically, what you get is a collection of people who have a specific set of skills. And it may very well be the reason they're targeting Salesforce is because the people who are behind it actually know Salesforce,” Wright said.
Salesforce denied that its software is the weak link, stating that “the Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology.”
Wright also noted that the hackers pulling off these huge breaches are often in their early 20s or even teens. “A lot of these groups who are not state aligned tend to be a group of younger people who are bored, have a skill set but just don't have that moral boundary to go off and do these things,” Wright said.
These young hackers often lack the experience and consequences that come with committing serious cybercrimes. “They definitely have much less experience in life with consequences,” Wright said.