The Gist
Two major airline data breaches—Qantas and Air France/KLM—have underscored the same unsettling truth: attackers don’t need to hack the airline itself to reach millions of passengers. In both cases, the compromise stemmed from third-party customer service platforms, not the airlines’ own systems.
For an industry that holds sensitive customer data and is under constant scrutiny during peak travel seasons, these incidents are a stark reminder that airlines are high-value targets—and their weakest point is often their vendors. The FBI has raised an alarm about cybercriminals targeting the airline industry using social engineering techniques.
The Qantas Incident
On June 30, 2025, Australian airline Qantas detected suspicious activity on a third-party platform. A voice‑phishing (“vishing”) attack was used to trick a call-centre employee into granting access to the third-party system storing personal details of up to 6 million of their customers. Exposed information included names, birth dates, email addresses, phone numbers, and frequent-flyer numbers. Luckily, no financial data, passwords, or passport details were compromised.
Air France/KLM Incident
In late July 28, 2025, Air France and KLM detected unauthorized access to a third-party platform servicing their customer service—potentially involving Salesforce systems. The hackers behind the breach were able to nab customer data, such as names, contact details, and their rewards program information. Thankfully, as with Qantas, more sensitive information (passwords, passport data, travel details, credit card information, and loyalty miles) remained safe.
Both airlines have notified regulators (France’s CNIL and the Netherlands’ Autoriteit Persoonsgegevens) and urged affected customers to be vigilant against phishing attempts.
How These Airline Data Breaches Work (and Why They’re Dangerous)
Does this tactic sound familiar? It should. These airline data breaches mirror earlier third-party incidents in other industries, like the third-party breach in the UK retail sector. In all cases, attackers exploited weaker vendor systems to compromise high-profile brands.
Third-Party Vendor Compromise
Compromising a target organization via a third-party vendor can be just as lucrative as attacking a larger target organization itself. External platforms used for customer service can hold or access millions of passenger records. And because vendors often lack the security resources of a global airline, their defenses lag—creating a path of least resistance.
Social-Engineering Entry Points
Customer service and contact center staff are prime targets for credential theft or impersonation. AI-powered phishing and AI-generated impersonation, such as deepfake voice calls, render traditional detection mechanisms less effective. These new tactics and abilities are making real-time detection increasingly difficult for the individuals defending against them, while they become cheaper and easier to access for would-be attackers.
Why Traditional Defenses Fail
- Perimeter defenses don’t extend to vendor systems.
- Vendor risk assessments are often point-in-time audits, not continuous oversight.
- As a result, organizations can be blindsided by a vendor compromise even when their internal systems are secure.
Trustmi’s Take
For airlines, these breaches hit close to home: even when your own systems are secure, the customer trust you’ve built can be shaken by a single vendor compromise. In an industry where loyalty programs and passenger data are core to brand value, vendor risk quickly becomes business risk.
But airlines aren’t alone. These incidents drive home a critical point: vendor risk is organizational risk. A strong brand or secured internal network offers little protection if a partner’s system is compromised.
Research cited by ITPro shows that 63% of companies suffered a supply chain attack in the past two years, and 97 of the top 100 US banks were hit by third-party breaches. The pattern is clear: third-party compromise is no longer the exception; it’s the norm.
Watch our on-demand webinar, Trade Wars and Vendor Risks: 3 Actionable Insights to Avoid Fraud, to learn how supply chain attacks like these evolve—and how to defend against them.
