Dutch flag carrier KLM and sister airline Air France have reported a data breach involving unauthorised access to a third‑party customer service platform. The breach, which took place in late July 2025, is believed to have impacted personal data of passengers including names, contact details, loyalty credentials and email subject lines, though more sensitive information such as passwords, passport numbers or credit card details was not compromised. The airlines say their internal systems remain secure and unaffected by the incident.
The breach is believed to have originated from vulnerabilities within a third-party platform used by multiple airlines to manage customer service interactions. While the specific vendor involved in the Air France-KLM incident has not been officially named, the affected system is reportedly part of a widely adopted cloud-based environment commonly used for customer engagement and contact centre operations.
Publicly available details indicate that KLM has worked with Salesforce for its Service Cloud platform. These platforms support the airline’s customer service operations, including managing passenger enquiries, booking records and Flying Blue loyalty programme interactions. However, KLM has not confirmed whether either provider was involved in this incident, citing the ongoing investigation.
What was accessed and who is affected
According to KLM, the data exposure affects only passengers who had previously interacted with their customer service via the platform in question; the breach occurred within a third‑party system used across the Air France–KLM group. Specifically, compromised details include first and last names, contact information, Flying Blue membership numbers and tier status, and subject lines from customer service emails. Although full numbers of affected individuals have not been disclosed, industry sources indicate the breach could involve a significant number of users, potentially running into hundreds of thousands across multiple jurisdictions.
With a global footprint spanning 90 countries and nearly 300 destinations, the Air France-KLM Group operates a fleet of 564 aircraft and employs approximately 78,000 people. In 2024, the group carried 98 million passengers worldwide.
While financial and travel booking data were not exposed, cybersecurity experts caution that the breached information could still be leveraged for targeted phishing campaigns, especially when combined with public social media or travel data. Affected users may receive messages appearing credible due to the presence of their frequent flyer status or customer support history.
Airline response and regulatory notification
KLM has stated that internal IT security teams, in conjunction with the external vendor, promptly executed containment measures and additional protections to prevent recurrence. As part of its compliance obligations under the General Data Protection Regulation (GDPR), the airline reported the incident to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) while Air France notified its French counterpart CNIL (Commission Nationale de l’Informatique et des Libertés).
The airlines also initiated direct communication with affected customers, sending individual email alerts with details of the breach and guidance on digital hygiene. To help affected customers guard against phishing, both airlines have issued advisories to discard unsolicited communications that request personal details or urge immediate action. They recommended that users verify authenticity before responding.
Aviation industry cyber‑risk implications
This breach is the latest in a series of aviation data incidents that exploit vendor vulnerabilities. In June, Qantas reported a similar third‑party breach affecting approximately 6 million passengers. In 2021, a major cyber incident involving global aviation IT firm SITA compromised passenger data across multiple Star Alliance airlines, including Singapore Airlines and Lufthansa.
The recurring risk highlights a systemic weakness in outsourcing customer interaction platforms. As airlines increasingly digitise their operations, the cybersecurity posture of third-party providers becomes central to trust and continuity. Cybersecurity firms have also flagged that criminal groups, including the ‘Scattered Spider’ collective, are increasingly targeting airline systems through social engineering attacks on service providers.
According to multiple reports, this incident may form part of a wave of supply‑chain attacks targeting Salesforce platforms, with groups such as ShinyHunters reportedly active in these campaigns. The shared infrastructure used by many large travel firms makes these platforms high-value targets for attackers seeking broad access through a single point of failure.
“While KLM’s swift response and transparency may help soothe customer concerns, the broader aviation sector must treat vendor cybersecurity as an essential component of operational integrity,” said Golok Kumar Simli, former Principal Advisor and Chief Technology Officer, Ministry of External Affairs, Government of India.
