Air France and KLM Royal Dutch Airlines have begun notifying customers of a data breach involving a third-party service provider, exposing personal information of loyalty program members and other passengers. The companies confirmed the breach in an official statement, saying their cybersecurity teams are investigating the incident alongside the affected vendor.
Customer information accessed via compromised third-party system
The breach originated from a platform used by the airlines’ customer service teams. Though the airlines themselves were not directly compromised, attackers were able to access customer data held by the third-party provider. Both Air France and KLM are subsidiaries of the Air France-KLM Group, one of Europe’s largest airline holdings.
“Unusual activity was detected on a third-party platform used by our contact centres, which led our IT security team, together with the third-party system involved, to swiftly implement corrective measures to put an end to the incident,” the company said in a statement.
The compromised data includes personally identifiable information (PII), such as:
- Full names and surnames
- Contact details
- Flying Blue loyalty program numbers and membership tiers
- Subject lines of customer service emails
Critically, the airlines confirmed that no passport numbers, payment details, account passwords, or Flying Blue miles balances were exposed during the breach.
Air France-KLM warns of increased cyber risk to affected customers
While the exact number of affected individuals has not been disclosed, the type of data accessed could make impacted customers vulnerable to phishing and impersonation attacks. Threat actors may use the stolen information to craft convincing scams, such as flight cancellation alerts or account verification requests, posing as airline representatives.
The breach notification also noted that the Dutch Data Protection Authority has been informed of the incident. Impacted customers are being advised to exercise caution when receiving unsolicited messages, particularly those requesting personal details or payment information.
KLM and Air France respond to breach amid strong market presence
KLM, operating a fleet of nearly 200 aircraft and employing over 36,000 staff, is a major player in the European aviation market with annual revenue above $14.5 billion. Air France, its sister carrier, employs 38,000 people and generated nearly $19 billion in revenue last year. The breach poses reputational and regulatory risks for both carriers, especially given their scale and reach.