Overview

• Detected in early August, the airlines cut off unauthorized access to the external customer service platform within 24 hours.
• Compromised information included first and last names, contact details, Flying Blue membership numbers, loyalty tier levels and email subject lines from service requests.
• Internal networks and systems were not breached and no passwords, payment card data, booking or passport details were exposed.
• Under EU GDPR, both carriers have lodged breach reports with the Dutch Data Protection Authority and the French CNIL.
• Security analysts say the incident echoes a wave of targeted attacks on third-party SaaS providers by groups such as ShinyHunters and Scattered Spider.