Topline<\/p>\n
Air France and KLM Royal Dutch Airlines\u2014the flagship carriers of France and the Netherlands\u2014were the latest in a string of global carriers to be hacked since mid-June.<\/p>\n
Five global airlines\u2014WestJet in Canada, Hawaiian Airlines in the US, Qantas in Australia, Air France in France and KLM in the Netherlands\u2014have been hacked in the past two months.<\/p>\n
gettyKey Facts<\/p>\n
On Thursday, Air France alerted customers<\/a> via email of \u201ca recent data breach involving your personal data\u201d whereby \u201ca fraudster gained limited access to a third-party system that is used by Air France.\u201d<\/p>\n KLM, which sent a similar breach notification to its customers, confirmed to Forbes in an email that the incident \u201coccurred last week and it was quickly analyzed and contained.\u201d<\/p>\n Some customers\u2019 first names, frequent flyer numbers and tier levels were exposed, but credit card details, passport numbers, frequent flyer miles balances and booking information were not, according to the email to Air France customers.<\/p>\n A hacker group called ShinyHunters claims to be behind the attacks, and cyber experts believe this group overlaps with Scattered Spider, which was behind the WestJet, Hawaiian and Qantas breaches<\/a>.<\/p>\n KLM sent a similar breach notification to its customers and said in a press release<\/a> that it had \u201cdetected unusual activity on an external platform we use for customer service.\u201d<\/p>\n Neither Air France nor KLM has disclosed which customer service platform was breached, but multiple cybersecurity authorities, including the cybersecurity software company Malwarebytes<\/a> and Infosecurity<\/a> magazine, have chronicled how ShinyHunters have had success targeting high-profile Salesforce customers, including Google<\/a>, Cisco, Adidas and Allianz.<\/p>\n Why Are Airlines Being Targeted?<\/p>\n Airlines make good targets because they are so complex, William Wright, a Scotland-based cybersecurity expert for Closed Door Security<\/a>, told Forbes. \u201cThey are massive, with loads and loads of supply chain,\u201d he said. \u201cIt\u2019s very obvious where the weak links are. Unfortunately for the airlines, there\u2019s very little they can do directly, because usually it\u2019s a third party that owns the system.\u201d<\/p>\n What Is Shinyhunters?<\/p>\n Named after a popular practice among Pok\u00e9mon players to actively seek out and try to capture \u201cshiny Pok\u00e9mon,\u201d ShinyHunters is a well-established black-hat hacking collective responsible for several high-profile data breaches and leaks in recent years. Recent victims include Ticketmaster<\/a> and the Spanish online bank Santander<\/a>. ShinyHunters are thought to be affiliated with Scattered Spider, a loose community of hackers that has been credited with many high-profile cyberattacks in recent years, including the 2023 ransomware attacks<\/a> on MGM Resorts and Caesars Entertainment, the British retailer Marks & Spencer<\/a> and the insurance company Aflac<\/a>. But it can often be difficult to attribute a cyberhack to a specific group, Wright told Forbes. \u201cYou quite often see people with specific skill sets being called into different groups. If we use Spider as an example, it\u2019s possible one of their team has a specific set of skills with Salesforce, and therefore ShinyHunters has hired them. They will recruit from other groups when they have skill set requirements.\u201d<\/p>\n Why Are Frequent Flyer Miles So Valuable To Hackers?<\/p>\n Loyalty programs are often poorly protected, Wright told Forbes. A second built-in vulnerability is the flexibility they offer customers in how they can spend miles or points. Air France\u2019s Flying Blue program<\/a> is typical in allowing customers to spend miles on items other than flights\u2014including hotels, duty-free shopping and online shopping. \u201cThe main thing that any attacker wants to do is get the asset out of whatever system it’s in,\u201d Wright said. \u201cIf they can spend the reward points on other things, then that’s the way they’ll do it. And once those points leave the airline, they are essentially untraceable.\u201d<\/p>\n What We Don\u2019t Know<\/p>\n If the airline hacks are part of what Infosecurity calls<\/a> \u201can ongoing data theft campaign targeting Salesforce instances.\u201d Many of ShinyHunters\u2019 attacks employ voice phishing, as Google Threat Intelligence Group explained in a recent blog post<\/a>: \u201cThis approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization\u2019s Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.\u201d All of this has led cybersecurity experts to believe the hacks were the work of Salesforce experts. \u201cTypically, what you get is a collection of people who have a specific set of skills. And it may very well be the reason they’re targeting Salesforce is because the people who are behind it actually know Salesforce,\u201d Wright speculated. \u201cMost likely if these attackers are ever caught, we’ll probably find they used to be Salesforce developers or Salesforce administrators, or there will be some connection there.\u201d Salesforce denied that its software is the weak link. \u201cThe Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology,\u201d a company spokesperson told Forbes in an email. \u201cIt\u2019s true that the Salesforce platform itself hasn\u2019t had a vulnerability, but it\u2019s being used maliciously. It\u2019s that fine line between a very customizable piece of software and opening the door to misuse,\u201d Wright said.<\/p>\n Surprising Fact<\/p>\n The hackers pulling off these huge breaches are often in their early 20s or even teens. \u201cA lot of these groups who are not state aligned tend to be a group of younger people who are bored, have a skill set but just don’t have that moral boundary to go off and do these things,\u201d Wright said. \u201cThey definitely have much less experience in life with consequences.\u201d<\/p>\n Further Reading<\/p>\n