Hackers have gained access to the personal data of potentially hundreds of KLM and Air France customers following a supply chain attack.
News of the breach first appeared on the KLM website in Dutch, and an Air France-KLM spokesperson confirmed the situation, saying the intrusion happened last week (week commencing 28 July 2025).
In a statement to ITPro, a spokesperson said: “Air France and KLM confirm that they are investigating a fraudulent access to the data of some of our customers.
“An unusual activity was detected on a third-party platform used by our contact centers, which led our IT security team, together with the third-party system involved, to swiftly implement corrective measures to put an end to the incident.”
Protective measures have been taken to stop the same thing happening again, the spokesperson confirmed, adding that “no sensitive data such as password, travel data, Flying Blue Miles balance, passport or credit card numbers were disclosed”.
The breach only affects Air France and KLM customers, and both airlines are in the process of contacting these individuals. Customers are advised to be mindful of suspicious emails and phone calls in the wake of the incident.
The affected supplier has not been named for security reasons. However, KLM has reported the incident to the Dutch data protection regulator (Autoriteit Persoonsgegevens), while Air France has contacted the French equivalent (CNIL).
In a statement given to ITPro, a spokesperson for CNIL confirmed it has been notified of the breach and that affected individuals have been contacted.
“The CNIL is in the process of analyzing the notification,” the spokesperson said. “The data involved are: Name, surname, contact information, Flying Blue membership number and status, and the subject of questions sent to the company by email.”
The latest in a long-line of supply chain attacks
Supply chain attacks have become an increasingly popular method of compromise for cyber criminals.
In 2024, security firm Checkmarx revealed that 63% of companies had been the victim of a supply chain attack in the previous two years, while 75% of organizations using open source code packages said they were concerned or very concerned about software supply chain security.
Research also revealed in 2024 that nearly all (97%) of the top 100 US banks were hit by third party data breaches such as the one affecting Air France-KLM, with a similar number subject to fourth-party breaches (suppliers to their suppliers).
SecurityScorecard’s 2025 Global Third-Party Breach Report meanwhile found that the Netherlands – home to KLM – was one of the countries where businesses were most likely to suffer a third-party breach, coming in second after Singapore.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
