Flying Blue: Air France-KLM frequent flyer data compromised in new airline cyberattack
August 7, 2025
KLM and Air France confirmed on Wednesday that they had experienced a cyberattack leading to a breach of Flying Blue member data. The vulnerability was attributed to an external platform used for customer service.
The breach exposed the personal information of an unknown number of customers to unauthorised attackers. KLM declined to reveal the external platform involved for “security reasons.”
🚨 Data Breach Alert‼️
— Hackmanac (@H4ckmanac) August 6, 2025
KLM (https://t.co/rZaYz6dx50) and Air France (https://t.co/ehwaRkpBgZ) have disclosed a data breach stemming from a customer service provider.
The compromised data appears to be limited to travelers who previously contacted customer service, and includes:… pic.twitter.com/O4jrzvTPyI
Core systems and sensitive customer data not affected by cyberattack
The airlines stopped unauthorised access immediately, but perpetrators may have gathered customers’ names, contact details, and account numbers from the Flying Blue rewards program.
In addition, cybercriminals may have accessed the subject lines of emails requesting service and notes entered by KLM customer service agents.
The cyberattack did not affect the airlines’ core systems or result in the loss of sensitive information, such as passwords, miles, passports, or credit card details. Fraudsters, however, could use customer service information in targeted scams.
KLM notified customers of the data breach and warned them against phishing attempts.
“The data involved in this breach could be used to make phishing messages appear more credible,” the airline wrote in an email to affected customers. “If you receive unexpected messages or phone calls, please check their authenticity.” KLM told customers to be especially alert to calls “asking for personal information or urging you to take action.”
A repeat of the 2023 Flying Blue data breach
KLM suffered a similar breach of Flying Blue customer data in January 2023. In that case, the cyberattack acquired no sensitive information, but the customer service data leak left Flying Blue members vulnerable to phishing and fraudulent schemes. At the time, the breach was thought to have originated from malware.
“The initial response involved a thorough investigation to identify the source and nature of the compromise. Security teams conducted a rapid assessment of access logs and user accounts to pinpoint any unauthorised access or malware presence,” Hackershub reports.
“As malware was suspected, it was triaged based on its potential impact and the sensitivity of the data involved. Critical systems were isolated from the network to contain any further spread of the threat. Simultaneously, the teams employed advanced detection tools to identify and analyse the malware’s behaviour, enabling them to understand its functionality and mitigate risks effectively.”
Air France and KLM join the list of airlines targeted by cyberattacks this year
While the culprits of this Wednesday’s breach of KLM Flying Blue customer data have not been identified, it is only one of several cyberattack incidents airlines have reported this year.
The pattern of Flying Blue attack aligns with social engineering strategies employed by organised hacker groups like Scattered Spider, also known as Muddled Libra, UNC3944 and Octo Tempest.
Social engineering involves tricking people into granting access through deceptive tactics. It can include anything from using basic publicly available information to AI-generated voices or deepfake video calls to impersonate a legitimate person with access. Attackers will pressure help desks to reset passwords and even to establish new multi-factor authentication.
Sam Rubin, SVP, Consulting and Threat Intelligence at Unit 42 for Palo Alto Networks, discussed aviation’s vulnerability to hackers with AGN.
“With so many stakeholders and systems in play, a single lapse—like a convincing phone call to a busy help desk—can compromise an entire operation,” Rubins said. “Social engineering thrives in these high-pressure environments, which is why consistent employee vigilance and robust verification protocols are critical to defence.”
Scattered Spider, Rubin says, is known to target industries in clusters, having previously carried out attacks against casinos in the US and retail in the UK.
Airlines and aviation companies are a rich source of data for bad actors, making them attractive targets. Addressing vulnerabilities to social engineering tactics is particularly difficult. It only takes one employee being tricked to leave the organisation vulnerable.
Rubin tells AGN that “consistent employee vigilance and robust verification protocols are critical to defence.”
