
Air France and KLM have disclosed a data security incident involving unauthorized access to customer information on an external platform used for customer service operations.
While some personal data was accessed, the companies confirmed that no sensitive details, such as passwords, passport numbers, travel itineraries, or payment information, were compromised.
The breach was identified on August 6, 2025, prompting immediate containment actions by internal IT security teams working alongside the affected third-party provider. Both airlines stated that their internal systems remain unaffected, and measures have already been implemented to prevent similar incidents in the future.
The Air France–KLM Group has notified the Dutch Data Protection Authority and France’s CNIL, as required by national data protection laws. Impacted customers are being contacted directly and are advised to remain vigilant against suspicious emails, phone calls, or phishing attempts.
Air France–KLM is one of Europe’s largest airline groups, serving more than 100 million passengers annually through a global network. The affected system is used to manage customer service interactions, and although the vendor has not been officially named, the timing raises questions about a possible link to the ongoing Salesforce-related campaign. That campaign involves threat actors using vishing and malicious OAuth applications to extract CRM data from compromised Salesforce environments. However, there is currently no confirmation that Salesforce is the platform involved in the Air France–KLM breach.
The incident also echoes last month’s breach at Qantas, which exposed the personal data of 5.7 million customers via a third-party call center system. As with that case, the growing trend of attackers targeting outsourced platforms highlights the critical need for strong security controls across third-party integrations.
Customers are urged to be cautious of unsolicited messages and verify all communications via official Air France or KLM channels. Enabling multi-factor authentication, avoiding suspicious links, and not disclosing credentials remain key defense strategies in the aftermath of such incidents.
Leave a Reply