Hackers have gained access to the personal data of potentially hundreds of KLM and Air France customers following a supply chain attack.
News of the breach first appeared on the KLM website in Dutch, and an Air France-KLM spokesperson confirmed the situation, saying the intrusion happened last week (week commencing 28 July 2025).
In a statement to ITPro, a spokesperson said: “Air France and KLM confirm that they are investigating a fraudulent access to the data of some of our customers.
“An unusual activity was detected on a third-party platform used by our contact centers, which led our IT security team, together with the third-party system involved, to swiftly implement corrective measures to put an end to the incident.”
Protective measures have been taken to stop the same thing happening again, the spokesperson confirmed, adding that “no sensitive data such as password, travel data, Flying Blue Miles balance, passport or credit card numbers were disclosed”.
The breach only affects Air France and KLM customers, and both airlines are in the process of contacting these individuals. Customers are advised to be mindful of suspicious emails and phone calls in the wake of the incident.
The affected supplier has not been named for security reasons. However, KLM has reported the incident to the Dutch data protection regulator (Autoriteit Persoonsgegevens), while Air France has contacted the French equivalent (CNIL).
In a statement given to ITPro, a spokesperson for CNIL confirmed it has been notified of the breach and that affected individuals have been contacted.
"The CNIL is in the process of analyzing the notification," the spokesperson said. "The data involved are: Name, surname, contact information, Flying Blue membership number and status, and the subject of questions sent to the company by email."
The latest in a long-line of supply chain attacks
Supply chain attacks have become an increasingly popular method of compromise for cyber criminals.
In 2024, security firm Checkmarx revealed that 63% of companies had been the victim of a supply chain attack in the previous two years, while 75% of organizations using open source code packages said they were concerned or very concerned about software supply chain security.
Research also revealed in 2024 that nearly all (97%) of the top 100 US banks were hit by third party data breaches such as the one affecting Air France-KLM, with a similar number subject to fourth-party breaches (suppliers to their suppliers).
SecurityScorecard’s 2025 Global Third-Party Breach Report meanwhile found that the Netherlands – home to KLM – was one of the countries where businesses were most likely to suffer a third-party breach, coming in second after Singapore.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)News Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
-
Three things we expect to see at OpenAI’s GPT-5 reveal eventAnalysis Improved code generation and streamlined model offerings are core concerns for OpenAI
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
-
Supplier hack leaks UBS data – including CEO's phone numberNews Chain IQ incident could hit Swiss banking sector hard in "grim reminder" of risk of third-party breaches
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling inNews A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
850,000 patients may have been affected in the Globe Life breach after firm revises victim listNews US insurer Globe Life has revealed more than 850,000 patients may have been impacted in a data breach after initially believing only around 5,000 were impacted.
