Air France and KLM announced on Wednesday that a data breach has compromised the information of an undisclosed number of customers after attackers gained unauthorized access to a customer service platform. The breach was reported to relevant authorities, including the Dutch Data Protection Authority for KLM and the CNIL in France for Air France, as the airlines move to notify affected individuals.
The incident was discovered following unusual activity on an external platform used for customer service. Air France and KLM issued a statement confirming, “Our IT security teams, along with the relevant external party, took immediate action to stop the unauthorized access.” They assured the public that their internal systems remained secure and unaffected by the incident.
According to the airline group, although customer data was accessed, sensitive financial and personal information was not compromised. Nonetheless, the airlines encouraged affected individuals to remain vigilant for any suspicious communications, including emails or phone calls, as they complete their investigation into the breach.
This incident follows a troubling trend of cyberattacks targeting the aviation sector. Recently, other airlines, including WestJet and Hawaiian Airlines, also reported breaches linked to the Scattered Spider hacker collective, which has increasingly focused on the aviation and transportation industries. This escalation raises concerns about ongoing vulnerabilities within these critical sectors and the need for robust cybersecurity measures.
Air France-KLM is a major player in international air transport, operating a fleet of 564 aircraft and employing 78,000 personnel to provide services to 300 destinations across 90 countries. In 2024 alone, they transported 98 million passengers worldwide. As the airline industry continues to recover from the pandemic, the recent breach highlights the vital importance of maintaining strong cybersecurity protocols to protect customer data.
In light of recent events, it is crucial for companies to remind customers of the potential risks of such incidents. The implications of not addressing cybersecurity adequately could lead to significant financial and reputational damage, as seen with other high-profile breaches affecting global brands like Adidas, Qantas, and Google.