Air France and KLM Royal Dutch Airlines have confirmed a fresh data breach affecting some of their customers, including UK travellers.
The incident, which took place in late July 2025, involved unauthorised access to a third-party customer service platform used by the airline group. Despite widespread speculation, neither Air France nor KLM has confirmed the vendor’s identity (as of 11/08/2025).
The attackers are believed to have accessed personal details such as first and last names, contact information, Flying Blue membership info, and even the subject lines of customer service emails.
According to the airlines, the breach only affects customers who had previously interacted with their customer service team through the affected platform. At this stage, it does not look like passwords, passport numbers, flight bookings or credit card details were compromised.
This isn’t the first time the airlines have been involved in a customer data breach
For many loyal customers, this will feel like déjà vu.
In January 2023, Air France and KLM confirmed a major breach of their Flying Blue loyalty programme, which has over 17 million members. That earlier attack exposed names, email addresses, phone numbers, recent transactions, and account balances.
At the time, some criticised the airlines for not using stronger security measures, such as two-factor authentication.
What the latest breach means for UK customers
Under UK GDPR rules, companies that process the data of UK residents must notify affected customers promptly and take steps to reduce harm. So, the airlines should contact affected passengers directly.
However, while financial data wasn’t stolen, the risk now lies in targeted phishing attacks.
Cybersecurity experts warn that details like your name, contact information, and frequent flyer tier status can make scam emails look very convincing, particularly if they refer to genuine previous customer service interactions. That makes UK travellers more vulnerable to falling for fraudulent messages that request additional information or urge urgent action.
What to do if you’re affected
If your data was stolen, it’s important to act now:
- Be alert for phishing emails, especially ones that appear to come from Air France, KLM, or partners.
- Check your Flying Blue account regularly for suspicious activity.
- Verify before you click anything. Go directly to the airline’s official website rather than using links in unsolicited messages.
- Consider enabling stronger security (such as two-factor authentication) if available.
You can get more information on how to keep yourself safe following a data breach in our handy guide.
The bottom line
Outsourcing customer service systems doesn’t remove an airline’s responsibility to protect passenger data. Both the 2023 and 2025 breaches show that vendor security is just as important as in-house systems.
If you’ve been notified that your data was exposed in the latest incident, you may be entitled to compensation.
We’re here to keep you informed, and, where appropriate, connect you with leading UK law firms who can help you claim for any security failures that put your personal data at risk.
Think you might be affected? Use our quick checker to find out. If you’re potentially eligible, register to get key updates – and we’ll let you know if a UK claim goes ahead.
