Air France and KLM customers’ personal details exposed via data breach

Air France KLM Group disclosed a data compromise incident affecting its customer base, traced to a breach at a third-party service provider that supported its contact center operations. The company confirmed detecting unusual activity on the external platform, after which it initiated an immediate response involving the vendor, cybersecurity experts, and relevant authorities.
The exposed information primarily consisted of customer names, email addresses, phone numbers, Flying Blue loyalty program numbers, tier levels, and the subject lines of service-related emails. Importantly, the airline group assured that sensitive personal or financial information, such as payment card details, passport numbers, account credentials, travel itineraries, or mileage balances, was not impacted. Furthermore, internal Air France KLM systems were not affected, and the compromise was confined to the external platform.
The company promptly notified regulators in France (CNIL) and the Netherlands (Autoriteit Persoonsgegevens) in accordance with data protection requirements, while also alerting potentially impacted customers directly. Although the dataset exposed may appear limited, experts warn that it could still facilitate phishing, targeted scams, and social-engineering attempts against customers.
This incident highlights the persistent risk posed by supply chain vulnerabilities, especially in the airline industry, where large volumes of customer data are processed through third-party platforms. It reinforces the growing call for stronger oversight, contractual controls, and cybersecurity monitoring across all external providers managing critical customer information.