Overview
- Detected in early August, the airlines cut off unauthorized access to the external customer service platform within 24 hours.
- Compromised information included first and last names, contact details, Flying Blue membership numbers, loyalty tier levels and email subject lines from service requests.
- Internal networks and systems were not breached and no passwords, payment card data, booking or passport details were exposed.
- Under EU GDPR, both carriers have lodged breach reports with the Dutch Data Protection Authority and the French CNIL.
- Security analysts say the incident echoes a wave of targeted attacks on third-party SaaS providers by groups such as ShinyHunters and Scattered Spider.