Introduction
In my cyber resilience masterclasses, I always stress the power of social engineering – the art of influencing and manipulating people to obtain confidential information. It’s a field I was personally trained in years ago by my friend Kevin Mitnick – once the world’s most wanted hacker, later a respected security expert and author of The art of deception. Kevin taught me how seemingly harmless details, when pieced together, can have enormous impact.
The recent KLM data breach illustrates this perfectly.
What we know about the breach
A few days ago, Het Parool reported: “Hack at KLM; customer data stolen.” Shortly after, KLM sent official notification emails to affected Flying Blue members and informed the Dutch Data Protection Authority. A hack also took place in 2023.
The breach occurred at a third-party supplier handling KLM’s customer service – once again proving that external vendors are often the weakest link.
Two versions of the same notification
After receiving several reactions and screenshots from others via WhatsApp and Signal, I noticed something I haven’t seen mentioned in the media: two different versions of KLM’s official notification are circulating.
-
Version 1: explicitly states that “remarks made by our customer service agents” (customer service notes) were also exposed.
-
Version 2: omits this entirely.
In the individual notification emails, KLM never explained why there are two versions or which customers lost which type of data.
Why customer service notes are a goldmine
This goes beyond names and contact details. Notes written by customer service staff in companies could include:
-
Context from past complaints or calls
-
Personal preferences or circumstances
-
Medical information
-
Details that may seem harmless in isolation, but together build a rich profile
For attackers, these notes are a goldmine for advanced social engineering. They reveal not just personal data, but also how you communicate, travel, and the issues you’ve faced. That makes phishing, impersonation, or targeted scams far more convincing.
Why this matters even without “sensitive” data
Even if no passport numbers, credit card details, or passwords were stolen, the combination of Flying Blue membership data and customer service notes can be exploited. If you are in a high-visibility position – such as a director, manager, artist, or public figure – the risk only increases. Also check my LinkedIn post with more details.
My take and call to action
Trained by Kevin Mitnick, I learned that the most dangerous hacks often start with exploiting seemingly small pieces of information. This incident proves that again.
I’ve asked KLM to provide me with the exact customer service notes stored about me in their systems. So far, I’ve received no response. Without this clarity, customers remain in the dark about what was actually exposed.
Did you also receive KLM’s notification email? Which version did you get – 1 or 2? Let me know in our contact form.