Air France and KLM Data Breach Exposes Customer Info via Third-Party Vendor

Air France and KLM have disclosed a data breach that has affected some of their customers. The incident happened through a third-party service provider that helps the airline group manage customer communication. This platform was compromised by attackers who were able to access limited customer information.

The airlines confirmed that the breach impacted customers who are part of the Flying Blue loyalty program. The attackers may have viewed personal details such as names, email addresses, phone numbers, and Flying Blue membership numbers. They may also have seen the level of the customer’s frequent flyer status and the subject lines of recent messages.

Both Air France and KLM clarified that no sensitive data was compromised in the breach. This includes passwords, payment details, passport numbers, and travel information, which all remain secure. Their internal systems and the Flying Blue platform itself were not affected by the incident.

The breach occurred at the end of July 2025. The third-party provider detected unauthorized access and informed the airline group shortly after. As soon as the issue was identified, Air France and KLM worked closely with the provider to block further access and start a full investigation into the incident.

At this stage, it is still unclear how many customers have been affected by the breach. However, the airlines have started notifying individuals whose information may have been exposed. They are also offering advice on how to stay alert for potential phishing scams and fraud attempts.

Customers are being warned to be cautious of suspicious emails, text messages, or phone calls. If someone receives unexpected communication claiming to be from the airline, they should double-check the source before taking any action. This is especially important if the message asks for personal or financial information.

The data breach has been reported to the data protection authorities in both France and the Netherlands. This includes the CNIL in France and the Dutch Data Protection Authority. These authorities are now involved in overseeing the investigation and ensuring that proper steps are taken to prevent similar incidents in the future.

The airline group has taken the matter seriously and assured customers that they are working to improve their data protection systems. They are also reviewing their partnerships with third-party service providers to strengthen security across all platforms that handle customer data.

Experts say this incident is another reminder of how important it is to secure third-party vendors. Even if a company’s core systems are strong, hackers can often find ways in through less-protected partners. These indirect attacks are becoming more common in the aviation and travel industries.

While this data breach did not involve financial or highly sensitive data, it still poses a risk to customers. Attackers could use the stolen information for phishing or social engineering attacks. As always, customers are advised to stay cautious, report anything suspicious, and rely only on official channels for communication with the airlines.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news