Japan Airlines Hit by Unauthorized Access – 28,000 Passengers’ Data at Risk

Japan Airlines (JAL), one of Asia’s most respected airlines, disclosed a cybersecurity incident in February 2026 involving its Same-Day Baggage Delivery Service reservation platform. While the breach did not affect flight operations or core booking systems, it exposed personal information belonging to customers who had used the service over the past 18 months.The issue first came to light on the morning of February 9, when airport staff noticed that the baggage service system was not functioning correctly. As a precaution, JAL suspended the reservation service while its security team investigated the problem. A review of system logs revealed that unauthorized access had occurred shortly after midnight on February 9, although evidence suggested the attackers may have been present in the environment for much longer.
According to the airline, the affected database contained customer information such as names, email addresses, phone numbers, flight details, baggage delivery information, destination hotels, and service charges. Fortunately, payment card information, passwords, and other financial data were not stored within the compromised system and were not exposed during the incident.
What makes this breach particularly concerning is the length of time the attackers may have remained undetected. Security researchers believe the compromise could have existed for more than a year before it was discovered, highlighting the growing challenge organizations face in identifying sophisticated threats that quietly operate inside networks for extended periods.
JAL temporarily suspended the service, carried out a detailed security review, and restored operations on February 20 after confirming the platform was safe to use. The airline also apologized to affected customers and announced plans to strengthen its security controls and improve monitoring capabilities.
The incident serves as a reminder that cybercriminals do not always target an organization’s most critical systems. In many cases, secondary services and less-visible platforms can become attractive entry points for attackers. For airlines and other large enterprises, maintaining strong security across every connected system is no longer optional—it’s essential.