Air France Faces Massive Class Action Lawsuit Over Data Breach That Targeted Customer Support System
- In August, Air France and KLM Royal Dutch Airlines revealed they were the latest victims of a cyber attack that allowed hackers to gain access to computer systems containing personal customer information. A new lawsuit alleges Air France didn't do enough the protect the data and failed to maintain "reasonable security safeguards."
Air France is facing a massive class action lawsuit over a cyber attack that may have resulted in personal details of tens of thousands of passengers being stolen and sold on the dark web.
Ethan Allison and Arya Soofiani have filed the lawsuit in a New York district court, alleging Air France didn’t make enough effort to prevent the data breach – something that Allison and Soofiani argue should have been foreseeable given the threat that cyber criminals pose to the aviation industry.
In mid-August, the Air France-KLM Group admitted that it had been the victim of a data breach after a third-party vendor that supplies customer support software to Air France was hacked by cyber criminals.
Passengers who had recently been in contact with Air France or KLM Royal Dutch Airlines could have had their personal data compromised, including their full name, contact details, and frequent flyer status, and the subject line of service request emails.
Although the airline made it publicly known that it had fallen victim to a cyber attack in August, the actual data breach may have happened much earlier.
Air France used the same software supplied by the US-based company Salesforce as Qantas, which revealed it was a victim of a cyber attack targeting the same system in early July.
In both cases, the hackers are not believed to have accessed data such as credit card information or passport numbers, but privacy experts have warned that the stolen data could still be used in a sophisticated identity theft scam.
KLM also warned that the criminals could use the data to target passengers with a type of scam known as phishing, in which scammers send their victims an email that looks like it came from the airline or other legitimate company.
Phishing scams normally try to get victims to click on a link within the email that will usually do one of two things:
- Clicking the link will install malware on the victim’s computer, which can then be used by hackers to view sensitive information like bank login data, etc.
- Or it will redirect passengers to a fake website designed to look like the airline’s own site, whereby passengers hand over personal details which can then be used by the fraudsters.
The lawsuit alleges “Air France has not implemented reasonable cybersecurity safeguards or policies to protect customers’ personal information or trained its IT or data security personnel to prevent, detect, and stop breaches of its systems.”
Other victims of the Salesforce breach are alleged to include Cartier, Louis Vuitton, and Pandora, as well as Qantas.
Just like Qantas, the Air France-KLM Group plans to offer affected customers complimentary use of a credit monitoring service for several months, but the lawsuit claims this doesn’t “adequately address the lifelong harm that victims will face following the Data Breach.”
News of the first cyber attack on Qantas came just days after cybersecurity firm Unit 42 warned the aviation industry that hackers linked to the infamous Scattered Spider group were attempting to target international airlines.
Scattered Spider often uses ‘social engineering’ to gain access to restricted databases, convincing IT helpdesks to grant them access to sensitive computer systems by pretending they are a real employee who has been locked out of their account.
The case has been filed in the district court for Southern New York under case number: 1:25-cv-07634
Two people is not a class action. They are just looking for cash and have to be able to prove that the data breach caused them financial losses. The breach also compromised the data of staff.