Air France-KLM cyberattack hits third-party platform

Published on Aug 8, 2025, 1:56 pm CDT

5 min read

Air France-KLM confirmed that hackers accessed a third-party platform used by its contact centers, exposing some customer data tied to service inquiries. The group said no sensitive data, including passwords, passport numbers, credit card details, travel itineraries, or Flying Blue mileage balances, was taken. Customers whose information may have been accessed are being notified and advised to watch for phishing attempts. The incident was detected during the week of July 28, 2025, and was contained after protective measures were implemented. Internal Air France and KLM systems remain secure, according to the company.

Key Points

Why it matters: Third-party vendor breaches can expose loyalty data without touching core airline systems.
Travel impact: No schedule disruptions reported, but heightened phishing risk for Flying Blue members.
What's next: Regulators in France and the Netherlands reviewing notifications.
Scope: Names, emails, phone numbers, and Flying Blue numbers possibly exposed.
Advice: Be skeptical of unexpected account-verification requests and never share one-time codes.

Snapshot

The breach stems from unauthorized access to an external customer-service platform used by Air France and KLM. Exposed fields may include names, contact details, Flying Blue membership numbers, tier status, and the subject lines of customer emails. The airlines say financial data, passports, itineraries, and program balances were not affected. Both carriers cut access, notified data-protection authorities, and started contacting impacted customers. The event fits a wider pattern of supply-chain intrusions that target call-center or CRM tools, where attackers harvest identity fragments for targeted scams. Travelers should assume increased phishing risk and secure accounts with strong passwords and multifactor authentication.

Background

Global airlines have faced a wave of cyber incidents since June. Hawaiian Airlines reported a hack that disrupted some IT systems on June 26, while flights operated as scheduled. WestJet disclosed a June 13 cybersecurity event and issued a late-July update. Qantas confirmed a breach affecting about 5.7 million customers through a third-party contact-center platform. On July 28, pro-Ukrainian hackers claimed a large attack on Aeroflot that forced cancellations. The common thread is vendor or contact-center exposure, which can reveal loyalty identifiers that are valuable for social-engineering attempts. Regulators increasingly scrutinize these incidents, and breach notifications typically urge customers to watch for phishing and SIM-swap scams.

Latest Developments

What was exposed, and what was not

Air France-KLM says attackers accessed names, emails, phone numbers, Flying Blue numbers and status, plus subject lines of service requests, but not passwords, payment data, passports, itineraries, or mileage balances. The company cut off access and reinforced controls with the unnamed vendor. Customers are being notified directly and urged to treat unsolicited contacts with caution. Read the company's statement as reported by BleepingComputer (English). External link: company statement summary via BleepingComputer (https://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/?utm_source=adept.travel)

Regulators notified in France and the Netherlands

KLM reported the incident to the Dutch Autoriteit Persoonsgegevens, and Air France notified France's CNIL. A CNIL spokesperson confirmed receipt and said analysis is underway. These steps align with European breach-notification rules that require prompt disclosure when personal data may be at risk. External link: regulatory details summarized by ITPro (https://www.itpro.com/security/data-breaches/air-france-and-klm-confirm-customer-data-stolen-in-third-party-breach?utm_source=adept.travel)

Airline breaches since June, at a glance

Hawaiian reported a cybersecurity event on June 26. WestJet disclosed a June 13 incident and later issued updates. Qantas said 5.7 million customers were affected, primarily via frequent-flyer and contact details. Each airline said no payment cards or passports were exposed. External link: Qantas media update (https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025/?utm_source=adept.travel)

Analysis

This breach underscores the airline industry's growing dependency on third-party platforms for customer support and loyalty operations. Attackers increasingly target those vendors, which often sit outside an airline's most hardened perimeter yet hold rich personal and program data that enable convincing scams. Even limited fields, such as names, phone numbers, and frequent-flyer identifiers, can be weaponized to phish one-time codes, redirect vouchers, or social-engineer call-center agents. Recent reporting links parts of this wave to threat groups using vishing and Salesforce-focused social-engineering, while other attacks in the sector have been attributed to Scattered Spider and similar crews. Regardless of attribution, the risk pattern is clear. Airlines must tighten vendor due diligence, limit data exposure in contact-center tools, and enforce step-up verification for account changes. Travelers should enable multifactor authentication, rotate passwords unique to Flying Blue and other programs, and treat any urgent message about points, itinerary changes, or refunds as suspicious unless verified through official apps or phone numbers.

Final Thoughts

For most travelers, the practical impact is a spike in targeted scams rather than direct account theft. The safest response is to take control: confirm your contact details in official apps, turn on multifactor authentication, and ignore links in unexpected emails or texts about mileage or refunds. If in doubt, contact the airline directly using a verified channel and never share one-time codes. With vendor risks rising across the sector, basic hygiene remains your best defense as this Air France-KLM cyberattack recedes from the headlines.