{
	"id": "3eb4dff4-ca4f-43b8-86ed-69e0911eb795",
	"created_at": "2026-04-06T00:19:31.692872Z",
	"updated_at": "2026-04-10T03:34:59.553548Z",
	"deleted_at": null,
	"sha1_hash": "3fae940e205bd1404176703f514e12b6b4599b1f",
	"title": "Air France and KLM disclose data breaches impacting customers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1479069,
	"plain_text": "Air France and KLM disclose data breaches impacting customers\r\nBy Sergiu Gatlan\r\nPublished: 2025-08-07 · Archived: 2026-04-05 20:24:41 UTC\r\nAir France and KLM announced on Wednesday that attackers had breached a customer service platform and stolen the data\r\nof an undisclosed number of customers.\r\nTogether with Transavia, Air France and KLM are part of Air France–KLM Group, a French-Dutch multinational airline\r\nholding company founded in 2004 and a major player in international air transport.\r\nWith a fleet of 564 aircraft and 78,000 employees, Air France-KLM provides services to up to 300 destinations in 90\r\ncountries. In 2024, the aviation group transported 98 million passengers worldwide.\r\nhttps://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe two airlines stated that they've cut off the attackers' access to the compromised systems after discovering the breach and\r\nadded that their networks were not affected by the attack.\r\n\"Air France and KLM have detected unusual activity on an external platform we use for customer service. This activity\r\nresulted in unauthorized access to customer data,\" they said. \"Our IT security teams, along with the relevant external party,\r\ntook immediate action to stop the unauthorized access. Measures have also been implemented to prevent recurrence. Internal\r\nAir France and KLM systems were not affected.\"\r\nWhile the attackers gained access to customer data, such as names, email addreses, phone numbers, rewards program\r\ninformation, and latest transactions, Air France and KLM said that the customers' financial and personal information was not\r\naffected.\r\nThe airlines have also notified relevant authorities in their countries of the incident and are now also alerting impacted\r\nindividuals that their data was stolen.\r\n\"KLM has reported the incident to the Dutch Data Protection Authority; Air France has done so in France with the CNIL,\"\r\nthey added. \"Customers whose data may have been accessed are currently being informed and advised to be extra vigilant\r\nfor suspicious emails or phone calls.\"\r\nSalesforce data theft attacks\r\nBleepingComputer has learned that this incident is part of a wave of data breaches linked to the ShinyHunters extortion\r\ngroup, which targets Salesforce instances in vishing and social engineering attacks.\r\nMultiple other high-profile companies, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany \u0026 Co., Chanel,\r\nand, most recently, Google, were also recently breached in this campaign.\r\nAn Air France–KLM spokesperson stated that the company would not provide additional information due to an ongoing\r\ninvestigation when asked by BleepingComputer to confirm whether the data was stolen from a compromised Salesforce\r\ninstance and disclose the number of individuals affected.\r\nThe Air France–KLM incident also comes on the heels of other aviation breaches linked to the Scattered Spider hacker\r\ncollective, which has shifted its focus to aviation and transportation firms in recent months, breaching WestJet and Hawaiian\r\nAirlines after previously targeting the insurance and retail sectors.\r\nUpdate August 07, 08:00 EDT: Added Air France–KLM statement.\r\nhttps://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/\r\nhttps://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/"
	],
	"report_names": [
		"air-france-and-klm-disclose-data-breaches-impacting-customers"
	],
	"threat_actors": [
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fae940e205bd1404176703f514e12b6b4599b1f.pdf",
		"text": "https://archive.orkl.eu/3fae940e205bd1404176703f514e12b6b4599b1f.txt",
		"img": "https://archive.orkl.eu/3fae940e205bd1404176703f514e12b6b4599b1f.jpg"
	}
}