Published on August 8, 2025
By: Tuhin Sarkar
KLM and Air France join Aeroflot, Qantas, WestJet, United, and South African Airways in facing serious cybersecurity threats, data breach and outages. In 2025, the travel industry is seeing an alarming rise in cyberattacks, targeted data breaches, and large-scale IT outages. KLM and Air France are now part of this growing list of major airlines under pressure from hackers and technical failures. Aeroflot, Qantas, WestJet, United, and South African Airways have each faced their own serious cybersecurity threats, data breach and outages in recent months.
These incidents are more than isolated events. They show a trend of sophisticated attacks aimed at disrupting airline operations and stealing sensitive data. In each case, the impact is felt by millions of passengers worldwide. Airlines like KLM, Air France, Aeroflot, Qantas, WestJet, United, and South African Airways depend on complex IT systems for bookings, schedules, and customer communications. When those systems face serious cybersecurity threats, data breach and outages, the result can be delays, cancellations, and loss of customer trust.
Advertisement
The challenge is not just in fixing the damage but in staying ahead of the next threat. Airlines must strengthen defences, train staff to resist phishing and vishing, and invest in secure infrastructure. As KLM and Air France join Aeroflot, Qantas, WestJet, United, and South African Airways in this battle, the message is clear: the aviation industry must adapt quickly to survive in a world where serious cybersecurity threats, data breach and outages are no longer rare—they are the new reality.
Airlines across the world are under pressure in 2025 as cybercriminals step up attacks on customer data. Major carriers from Europe, Australia, and beyond have confirmed serious breaches. Others face claims of theft that remain under investigation. These incidents reveal the scale of the threat and the growing risk to passengers. This report explains what happened, who was hit, and why travel industry security needs urgent attention.
In August 2025, Air France and KLM revealed they had suffered a data breach. The attack came through a third-party customer-service platform. Hackers gained access to names, contact details, and loyalty programme data. They did not get passwords, passport numbers, or credit card details. The airlines acted fast to stop the attack and inform customers. This breach is part of a wider campaign linked to the group known as ShinyHunters.
ShinyHunters is a cybercrime group known for targeting companies that use Salesforce CRM systems. They use voice phishing, or “vishing,” to trick customer support staff into giving access to CRM tools. A modified version of Salesforce’s Data Loader is then used to copy customer data. This method has been used against several high-profile companies in 2025, including Google and Qantas. It shows how human error can be just as dangerous as software flaws.
Advertisement
| Airline | Year | Reason & Outcome | Loss / Scale |
|---|---|---|---|
| Qantas | 2025 | Data stolen from third-party CRM in a targeted cyberattack linked to Salesforce vishing. Names, contacts, and loyalty programme IDs exposed. Notifications sent. | ~5.7 million customer records affected. |
| Air France & KLM | 2025 | Unauthorised access on an external customer-service platform; no passwords, passports, or card data accessed. Likely part of a broader CRM-targeting campaign. | Not disclosed; customers advised to stay vigilant. |
| Aeroflot | 2025 | Major cyberattack disrupted IT systems; hacktivists claimed theft of internal databases. | Over 100 flights cancelled; data-leak claims ongoing. |
| WestJet | 2025 | Cyber incident disrupted website and app; investigation launched by privacy regulator. | Potential impact on customer data; service disruption. |
| Hawaiian Airlines | 2025 | Security incident under investigation; operations continued. | Loss details not disclosed; flights unaffected. |
| Wizz Air / Wizz Air Abu Dhabi | 2025 | Ransomware group claimed theft of 22 GB of data; no public confirmation from airline. | Claimed 22 GB internal and customer data. |
| South African Airways (SAA) | 2025 | Cyber incident disrupted systems; ransomware group claimed responsibility. | Temporary operational disruption; possible personal data exposure. |
| Delta Air Lines | 2024 | Global IT outage from faulty third-party update caused major flight disruptions. | ~$500 million loss; over 7,000 flights cancelled. |
| United / American / JetBlue | 2024 | Same global IT outage as Delta; widespread delays and cancellations. | Thousands of delays and cancellations. |
| British Airways | 2025 | Heathrow power outage after substation fire; BA most affected at LHR. | ~1,300+ flights cancelled across airlines. |
| Lufthansa Group | 2023 | Frankfurt network cables severed; IT systems offline. | Hundreds of flights delayed or cancelled. |
| Air Europa | 2023–2024 | Breach of online payment gateway exposed payment card data. | Payment card compromise; volume undisclosed. |
| Air Canada | 2023 | Intrusion into internal systems exposed employee data. | Employee data accessed; customer systems unaffected. |
| British Airways | 2018 | Magecart-style compromise of web and app payment system. | ~400,000 payment cards affected; £20m fine. |
| Cathay Pacific | 2018 | Long-running breach exposed passenger data. | 9.4 million passengers affected; £500k fine. |
Qantas confirmed one of the largest airline data breaches of the year. Around 5.7 million customers were affected. For about 4 million of them, stolen data included names, emails, and frequent flyer numbers. A further 1.7 million also had addresses, phone numbers, birth dates, gender, and meal preferences exposed. No payment or passport data was taken. The breach has triggered an investigation by the Australian Federal Police.
In early 2025, Lufthansa Group was named in a regulator announcement from Hungary’s data protection authority. The disclosure said passenger data from cancelled flights between 2019 and 2024 had been exposed. Details of how the breach happened were not made public. The timing of the announcement shows how some incidents only become known long after the original compromise.
Aeroflot, Russia’s largest airline, suffered a cyberattack that led to more than 60 flight cancellations. Hacktivists claimed to have stolen internal databases, flight history, and email archives. The airline has not confirmed the data theft. This case shows how operational disruption and potential data loss often go hand in hand.
WestJet reported a cyberattack that disrupted its internal systems and mobile app. The company has not confirmed if any customer data was stolen. The attack is still under investigation. WestJet’s case reflects the uncertainty that often surrounds breaches in the first days after discovery.
Hawaiian Airlines also disclosed a cybersecurity incident in 2025. It said that flights were not affected, but some IT systems were impacted. Whether customer data was taken remains unclear. This case adds to the list of North American carriers dealing with cyber threats this year.
Low-cost airline Wizz Air and its joint venture Wizz Air Abu Dhabi were named on criminal leak sites in April and May 2025. Hackers claimed to have stolen 22 gigabytes of corporate and operational data. The airline has made no detailed public confirmation. This situation highlights the role of leak sites in shaping public perception, even before facts are confirmed.
A criminal forum post in 2025 claimed to offer a database of 272 million SMS records tied to United Airlines. Analysts who reviewed the data found signs of test information, suggesting the leak may not be genuine. United has not confirmed any breach. This case shows the challenge of separating fact from fiction in the fast-moving world of cybercrime claims.
In May 2025, South African Airways faced an incident that disrupted operations. A ransomware group claimed to have stolen data and posted a “Part 1” leak online. The airline has focused on restoring services while investigating the scope of the breach. Official details remain limited.
Many of the confirmed and suspected breaches in 2025 involve third-party platforms, especially CRM systems like Salesforce. These systems store large amounts of customer data and are accessible to multiple staff and partners. Attackers exploit trust and urgency to bypass protections. Once inside, they can copy large data sets quickly. This year’s events underline the need for stricter access controls and better training.
While most airlines have said that financial and passport data were not stolen, the information taken is still valuable to criminals. Names, emails, phone numbers, loyalty programme details, and travel preferences can be used for targeted phishing. These scams can trick customers into revealing more sensitive information or making fraudulent payments.
In confirmed cases, airlines responded quickly to limit damage. They worked with IT security teams and external experts to close the breach. Customer notifications were sent, and regulators were informed. These steps are vital for meeting legal obligations and maintaining public trust. But prevention remains better than cure, especially in an industry that handles millions of passenger records daily.
Regulators like the Hungarian NAIH and agencies like the Australian Federal Police are playing a key role in investigating these breaches. Their work helps confirm the scale of attacks and hold companies accountable for protecting data. Law enforcement agencies also track cybercrime groups and share intelligence with potential targets.
The events of 2025 show that no airline is too big or too small to be targeted. Attacks can come through direct hacks, third-party services, or insider mistakes. Travel companies must ensure staff are trained to spot social engineering, especially vishing attempts. Multi-factor authentication and least-privilege access policies should be standard. Regular audits of third-party connections can reduce the attack surface.
KLM and Air France have confirmed a data breach linked to the cybercrime group ShinyHunters. This incident raises urgent questions about travel industry security. Hackers targeted a customer-service platform, exposing customer details but avoiding sensitive data like passwords or payment information. The breach shows how social engineering tactics remain a major risk, even for global airlines.
KLM and Air France detected unusual activity on an external customer-service platform. Their IT teams moved quickly to stop the attack. The Air France-KLM Group confirmed that hackers did not reach internal systems or steal passwords, passport numbers, or credit card data. However, the breach did involve some customer contact information. Affected customers are being notified and advised to watch for suspicious emails or calls. The breach is part of a growing trend of attacks on airline-linked systems.
The incident has the hallmarks of ShinyHunters, a cybercrime group targeting Salesforce customers. ShinyHunters has recently attacked Google, Cisco, and Qantas, using similar methods. They specialise in social engineering, convincing support staff to grant access to customer relationship management (CRM) systems. The group has been active in targeting high-profile companies, including fashion and luxury brands, showing a broad and ambitious strategy. Their actions continue to cause disruption across multiple industries.
While the airlines have not confirmed the platform breached, Salesforce lists them as customers. Recent attacks on Salesforce customers have exposed names, email addresses, and other contact details. Salesforce has stated that its own systems have not been compromised. Instead, attackers exploited human error through phishing and voice-based social engineering. The company is urging customers to strengthen their security settings to prevent such breaches in the future.
Multiple organisations have reported being targeted through “vishing” or voice phishing. Hackers call customer support teams pretending to be authorised staff. They convince these teams to allow access to Salesforce CRM systems. Once inside, attackers use tools like a modified Salesforce Data Loader to copy data. Google confirmed that in June, it fell victim to this type of attack by ShinyHunters, which it tracks as UNC6040. This shows the growing reach of the group’s tactics.
The list of victims of these attacks is growing. Allianz Life, Adidas, Victoria’s Secret, and luxury brands under LVMH—such as Dior, Louis Vuitton, and Tiffany—have all been hit. Australian airline Qantas has also been affected. Recently, Chanel confirmed a breach affecting a customer database hosted by a third party. These incidents highlight how no sector is immune from social engineering attacks targeting CRM systems. The impact stretches far beyond the travel industry.
The Air France-KLM Group operates 574 aircraft and serves 320 destinations. In 2024, it transported 98 million passengers. A breach in a network of this scale can have serious implications for customer trust. Even though sensitive travel and payment data were not stolen, the loss of personal contact details can still lead to phishing and scam attempts. The company’s global reach means the effects could be widespread.
Salesforce has made it clear that the problem is not with its platform’s code or infrastructure. Instead, it points to social engineering as the primary weakness. The company advises clients to enable multi-factor authentication, limit access permissions, and monitor all third-party app connections. These steps are designed to block attackers before they can trick staff into granting access. Salesforce is also working with clients to raise awareness about phishing threats.
Social engineering attacks target human behaviour, not just technology. By posing as trusted insiders, attackers can bypass technical security systems. These tactics exploit trust, urgency, and confusion. In the case of Salesforce-related breaches, attackers manipulate staff into allowing harmful connections to CRM systems. Training and awareness are key defences. Without them, even strong technical safeguards can fail.
The travel industry handles huge amounts of personal and financial data. This makes it an attractive target for hackers. Airlines, hotels, and booking platforms must combine technical defences with strong human-focused training. Incident response plans must be ready to activate within minutes of detecting unusual activity. The Air France-KLM case shows how quick action can limit damage, but also highlights the ongoing risk.
Customers whose details may have been stolen should be extra cautious. They should watch for phishing emails or calls requesting sensitive information. These messages may appear convincing, using stolen personal data to seem legitimate. Experts advise customers to avoid clicking on suspicious links, confirm sender details, and use strong, unique passwords for all accounts. Monitoring bank accounts and credit reports is also a smart step after any breach.
The breach at Air France-KLM is a warning to the wider travel sector. Businesses must test their staff’s resistance to phishing, ensure security settings are up to date, and limit access to critical systems. It is not enough to rely on software security alone. Human error remains the easiest entry point for attackers. Proactive security measures can reduce the chances of a similar incident.
The group is now working with security teams and external experts to review its systems. It is also contacting affected customers directly. While the breach did not involve financial or travel data, the incident will still test the airline’s ability to maintain trust. Clear communication, visible action, and improved security policies will be vital in the months ahead. Other airlines will be watching closely to see how the group restores confidence.
The KLM and Air France data breach linked to ShinyHunters is a stark reminder of how cybercriminals target the travel industry. Social engineering remains a powerful tool for attackers. While sensitive financial and travel data were spared, the exposure of customer contact details still poses risks. The incident shows the need for constant vigilance, both technical and human. As airlines continue to digitise their operations, protecting customer data must remain a top priority.
Passengers should be cautious after any breach. Watch for suspicious emails or calls that use personal details to seem real. Avoid clicking on links from unknown senders. Use strong, unique passwords for all accounts, and enable two-factor authentication where possible. Checking bank accounts and loyalty programmes for unusual activity is also wise.
Cyberattacks against airlines are likely to continue through 2025 and beyond. Groups like ShinyHunters and Scattered Spider are refining their tactics and targeting high-value industries. Airlines must balance the need for customer convenience with stronger security measures. Public trust depends on how quickly and transparently they respond to future incidents.
The wave of airline data breaches in 2025 is a wake-up call for the global travel industry. From confirmed incidents at KLM, Air France, and Qantas to suspected breaches at others, millions of passengers have been affected. The common threads are third-party vulnerabilities and social engineering. Airlines must learn from these events to strengthen defences and protect passenger data. For travellers, awareness and caution remain the best personal safeguards.
Image Credit: KLM
Advertisement
Wednesday, November 26, 2025
Wednesday, November 26, 2025
Wednesday, November 26, 2025
Wednesday, November 26, 2025
Wednesday, November 26, 2025
Wednesday, November 26, 2025
Wednesday, November 26, 2025
Wednesday, November 26, 2025