Air France-KLM Data Breach: CISO lessons

Gad Rosenthal, Product Management at Eureka Security
Gad Rosenthal, Product Management at Eureka Security

Data breaches have become an all too common occurrence. No company is immune, including industry giants, like Air France-KLM. On January 9 2023, the airline company experienced a data breach that started as a  suspicious activity in its Flying Blue customers database. This incident raises concerns about the security of critical data and the impact of cloud data breaches. In this blog post, we will take a closer look at the details of the Air France-KLM data breach, its impact, and the lessons that can be learned to help prevent similar incidents in the future.

Details of the Data Breach

Customers of Air France and KLM’s Flying Blue loyalty program received notifications that a portion of their personal information was made public after a compromise in the security of their accounts. The list of data that might have been compromised includes the individuals’ names, email addresses, phone numbers, most recent purchases, and Flying Blue information such as their accumulated mile balance. However, in a joint statement, Air France and KLM acknowledged the data breach and reassured customers that other critical sensitive information, such as credit card details and passport numbers, had not been compromised. The company has not yet revealed whether the incident was the result of hackers penetrating the company's environment or if customer accounts were accessed through another source.

The Air France-KLM data breach is one of many that have occurred in the airline industry in the past year. Other notable incidents include Philippine Airlines, Pegasus Airline, Akasa Air, American Airlines, TAP Air Portugal, AirAsia and many other major airlines such as British Airways, Cathay Pacific, Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, New Zealand Air, SAS, Singapore Airlines and United have all suffered data breaches. These incidents have raised concerns about the industry's overall data security and highlight the need for increased measures to protect sensitive customer information.

These data breaches serve as a sobering reminder of the importance of data security, particularly in industries where sensitive personal information is a high commodity in the black market. It is not a question of whether a breach will happen, but when, making it crucial for all companies to have robust data security measures in place. With this in mind, it's important for CISOs to take note of the lessons that can be learned from this recent incident, to prevent future breaches and better protect customer data.

Lessons for CISOs

This data breach serves as a reminder of the importance of having security protocols in place, not just for Air France-KLM but for all companies. It's essential to regularly monitor your cloud environment. Having a plan in place for how to handle a data breach is also crucial in minimizing the impact of a data breach.

Review the basics. Regardless of how developed your program is or how big the budget may be, it is always appropriate to take a step back and review the basics of cloud security quarterly, to ensure your teams have the right tools to manage cloud data. Consider answering the following questions;

  • “Where is my data?” Knowing where your data resides, whether it's cloud native structured and unstructured data stores, block storage, PaaS data stores, or other critical data, it is essential for protecting it.
  • “What is my data?” Classifying the types of data you have can help prioritize risk management for critical assets - tells you if your data is sensitive and what kind of data it is.
  • “Who or what has access to my data? And how has it been used?” Identify only authorized users that have access to sensitive information to manage data security risks proactively.
  • “Do I have the right tools? Am I utilizing the right services?” Utilize tools and services that can scan your entire cloud infrastructure to discover sensitive data that may not be properly protected.

Implement controls. Implementing controls around who has access to data is fundamental to any data security and compliance program. Well-established internal and regulatory requirements are in cohort with the business needs and allow you to have clear controls. Key elements of these controls include clear ownership and accountability, a strong security baseline including encryption and minimum privilege access, effective monitoring and alerts, and proper data classification. In cases where compliance requirements are complex, involving both security and privacy, it is important to have compensating controls in place to ensure that business needs do not take precedence over security and compliance requirements.

Continuously audit and monitor. Audits are expected to review every aspect of the information security program, the environment in which the program runs, and the outputs of the program. These audits should report on control deficiencies to decision-makers, identify root causes and recommend corrective action for deficiencies. Audits should track the results and the remediation of control deficiencies reported therein along with any additional technical reviews. Audits are a beneficial tool to get things done, and track progress from previous audit rounds, and not something to play hide-and-seek with.

Create a security culture. Organizations with stronger security culture are expected to generally integrate information security into new initiatives from the outset and throughout the lifecycle of services and applications. An effective security-driven culture should be prioritized from the top down to demonstrate the importance of the issue.

Create an Incident Response plan and practice. Start by building your incident response team or virtual team, preparing  an incident response plan, and practice. Preparing an incident response plan may include building on existing incident response knowledge and should clearly outline what procedures to enact during a threat. The top priority is to contain the nefarious activities and the attacker to protect as much of your critical data as possible. This process may catch known and unknown issues helping your team to reduce the response and mitigation time in future issues.

Data is Scattered Everywhere: Prepare for the Worst

Breaches like this one serve as a reminder that you should plan ahead to limit the amount of damage that a data breach could cause. As Murphy’s Law goes, anything that can go wrong will go wrong; it’s only a matter of time. Don’t wait until after you detect a breach to spring into action.

Eureka Security- Cloud data security- Crown logo

Subscribe for updates

For our latest feature releases and updates
Thank you for signing up!
Oops! Something went wrong while submitting the form.
Eureka security Solution brief

Download Eureka solution brief

Learn more about how Eureka can help you
Get it now

Drive secure & compliant data growth

Get a Free Risk Assesment