Domestic newsMonday 18 December 2023, 06:38
KLM leaked data customers: private data easily collected
This article was translated using an automatic translation service. The original article was written in Dutch by our editors. The editors are not responsible for any errors in the article due to the automatic translation.
Private data of KLM customers, including phone numbers, e-mail addresses and, in some cases, passport details, were easily accessed by unauthorised persons. This is according to an investigation by NOS. The data leak also affected customers of sister company Air France.
Using an automated script, the data could easily be scraped: that means information can be downloaded without actually having to bypass security. In a few hours, NOS and security researcher Benjamin Broersma together found more than 900 working links behind which, besides flight information, private data could thus often be seen.
That information could be used by cyber criminals to issue fake travel documents, if passport data were indeed present. But an e-mail address and phone number could also be misused, for example for highly targeted phishing to KLM customers.
There was also the possibility of editing and deleting passport and visa information; whether that could have been done successfully, the NIS did not test. KLM would not say whether that was possible.

Link with flight information

The error was in the hyperlink with flight information that KLM customers were sent via text message. These were extra short links with six characters, so they could easily fit into a text message. However, they turned out to be so short that they were not unique enough. A malicious person could try to access links on a large scale; of every 100 to 200 addresses entered automatically, one would be valid.
"Two things actually went wrong: the codes were too short, and there were too many working codes," says Broersma.
KLM fixed the problem, after being informed by NOS on Friday afternoon, within a few hours. "Our IT department immediately took the necessary measures to fix this," the company said in a written statement. "Anyone who now clicks on the link must first log in to the My Trip environment of the KLM or Air France website. As a result, the situation is safe and normal again."

100 to 200 attempts

How many customers were susceptible to the leak, the company would not say. However, that every 100 to 200 attempts produced a valid link means that many customers' flight links must have been accessible. Not all links with flight information contained private data; NIS was unable to verify how often this was the case.
KLM said it did not wish to comment on this "hypothetical calculation". "As previously stated, we take the privacy of our passengers seriously and pursue a very sophisticated security policy in this regard," the company informed.

Someone really has been asleep here.

Security expert Bert Hubert
"An advanced security policy apparently means that you have a half-percent chance of success," says security expert Bert Hubert, until last year intelligence regulator.
According to Hubert, "someone has been asleep" at KLM. "Six characters is just really not enough, they could have made it eight or nine." A difference of six or eight characters makes a huge difference to being able to guess: with six characters in this case, there are 57 billion combinations, with eight characters, more than 200 trillion.

Suspicious activities

Whether the leak was exploited is unknown. KLM notes that the system was already sounding the alarm due to the "large amount of suspicious activity" caused by the NOS and Broersma investigation. Since then, "a team was taking the necessary security measures. This shows that the system works and further access was not possible," the airline said.
"But the fact that they saw you doesn't mean anything about what others did," says Jaap-Henk Hoepman, senior lecturer in computer security at Radboud University. The NOS made no effort to stay under the radar; malicious people could do so, for instance by switching IP addresses every few seconds. Moreover, in this case, it still took more than five hours for KLM to block the IP addresses where the suspicious activity came from.
In hindsight, it is often difficult to determine whether abuse has occurred, Privacy Company's privacy consultant Floor Terra also says. "But sometimes companies can do that very well. That is often difficult for the outside world to assess." In Terra's experience, companies are not always honest about this.
KLM would not explain how it could rule out other misuse of the leak. "The details of our security policy and measures we cannot share with you," he said.


For this story, NOS and security researcher Benjamin Broersma requested automated links to the KLM website with potentially valid codes from KLM customers. We did this to test whether there was a security problem. When that turned out to be the case, NOS informed KLM.
KLM - despite repeated requests from NOS - would not specify how many customers had valid links, which were thus susceptible to the security problem. The company only states that the links were only sent to a "small percentage" of customers, without mentioning that percentage. Moreover, that says nothing about the number of links that worked but were not actively sent. Therefore, NIS tried to estimate the extent of the security problem itself.
About 0.5 to 1.5 per cent of the links tried eventually turned out to work. Since links could consist of at least upper-case letters, lower-case letters and numbers, there are at least 56.8 billion possible combinations. According to the most conservative estimate, if 0.5 per cent turned out to be correct, that would be 284 million correct combinations.
This page contains automated translations of Dutch news published by NOS. NOS is a Dutch broadcasting organisation that creates news, event, and sports programmes for television, radio, and online. NOS has the task of doing this for all inhabitants of the Netherlands, including those who cannot read or speak Dutch (well). The NOS editors work completely independently and autonomously from other agencies and the government.

The original texts on which these translations are based were written in Dutch by the editors at NOS. Our editors are not responsible for any errors in the automated translations.

Do you want to help us improve this platform and future experiments by sharing your opinions on this platform and its translations? Click here for a short survey about your experience as a user.