Air France suffered a **cyber attack** via a **third-party vendor (Salesforce)**, compromising the **personal data of tens of thousands of passengers**, including full names, contact details, frequent flyer status, and email subject lines from service requests. While **credit card or passport data was not accessed**, the stolen information was allegedly **sold on the dark web**, exposing victims to **identity theft and phishing scams**. The breach, linked to the **Scattered Spider hacking group**, exploited social engineering tactics to infiltrate Air France’s customer support systems. A **class-action lawsuit** (filed in New York under *1:25-cv-07634*) accuses the airline of **negligent cybersecurity practices**, failing to prevent, detect, or mitigate the breach despite prior warnings about aviation sector vulnerabilities. Although Air France offered **complimentary credit monitoring**, plaintiffs argue this does not address the **long-term risks of fraud and privacy violations**. The incident mirrors a similar attack on **Qantas** via the same Salesforce vulnerability in July 2023.
TPRM report: https://www.rankiteo.com/company/air-france--klm
"id": "air1292412100725",
"linkid": "air-france--klm",
"type": "Cyber Attack",
"date": "7/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'tens of thousands',
'industry': 'aviation',
'location': 'France',
'name': 'Air France',
'size': 'large (part of Air France-KLM Group)',
'type': 'airline'},
{'industry': 'aviation',
'location': 'Netherlands',
'name': 'KLM Royal Dutch Airlines',
'size': 'large (part of Air France-KLM Group)',
'type': 'airline'},
{'industry': 'technology',
'location': 'USA',
'name': 'Salesforce (third-party vendor)',
'size': 'large',
'type': 'software provider'},
{'industry': 'aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'large',
'type': 'airline'},
{'industry': 'retail',
'name': 'Cartier',
'type': 'luxury retailer'},
{'industry': 'retail',
'name': 'Louis Vuitton',
'type': 'luxury retailer'},
{'industry': 'retail',
'name': 'Pandora',
'type': 'jewelry retailer'}],
'attack_vector': ['third-party vendor compromise (Salesforce)',
'social engineering (Scattered Spider group)'],
'customer_advisories': ['complimentary credit monitoring offered',
'likely notifications to affected passengers'],
'data_breach': {'data_exfiltration': ['data sold on the dark web'],
'file_types_exposed': ['customer support records',
'email metadata'],
'number_of_records_exposed': 'tens of thousands',
'personally_identifiable_information': ['full names',
'contact details',
'frequent flyer '
'status'],
'sensitivity_of_data': ['moderate (no financial or passport '
'data, but PII exposed)'],
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'customer service request '
'metadata']},
'date_publicly_disclosed': '2025-08-mid',
'description': 'Air France is facing a class action lawsuit over a cyber '
'attack that resulted in the theft of personal details of tens '
'of thousands of passengers, which were allegedly sold on the '
'dark web. The breach occurred via a third-party vendor '
'(Salesforce) supplying customer support software to Air '
'France. Hackers accessed data including full names, contact '
'details, frequent flyer status, and email subject lines. '
'While no credit card or passport data was compromised, the '
'stolen information could be used for identity theft or '
'phishing scams. The lawsuit alleges Air France failed to '
'implement adequate cybersecurity safeguards. The incident is '
'linked to the Scattered Spider group, known for social '
'engineering attacks.',
'impact': {'brand_reputation_impact': ['negative publicity',
'loss of customer trust',
'legal scrutiny'],
'customer_complaints': ['class action lawsuit filed by Ethan '
'Allison and Arya Soofiani'],
'data_compromised': ['full names',
'contact details',
'frequent flyer status',
'email subject lines of service requests'],
'identity_theft_risk': ['high (due to exposed PII)',
'phishing scams targeting victims'],
'legal_liabilities': ['class action lawsuit (case number: '
'1:25-cv-07634)',
'potential regulatory fines'],
'payment_information_risk': ['low (no credit card or passport data '
'accessed)'],
'systems_affected': ['Salesforce customer support software']},
'initial_access_broker': {'data_sold_on_dark_web': ['confirmed'],
'entry_point': ['compromised Salesforce customer '
'support software'],
'high_value_targets': ['customer PII',
'frequent flyer data']},
'investigation_status': ['ongoing (class action lawsuit in progress)',
'no public details on technical investigation'],
'lessons_learned': ['Third-party vendor risks must be rigorously assessed and '
'mitigated, especially in high-target industries like '
'aviation.',
'Social engineering attacks (e.g., Scattered Spider '
'tactics) require robust employee training and '
'verification protocols.',
'Public disclosure timing and transparency are critical '
'to maintaining customer trust.',
'Complimentary credit monitoring may not suffice for '
'long-term harm caused by PII exposure.'],
'motivation': ['financial gain (data sold on dark web)',
'identity theft',
'phishing scams'],
'post_incident_analysis': {'root_causes': ['Inadequate cybersecurity '
'safeguards at third-party vendor '
'(Salesforce).',
'Lack of employee training to '
'prevent social engineering '
'attacks (e.g., Scattered Spider '
'tactics).',
'Failure to anticipate and '
'mitigate risks despite prior '
'warnings (e.g., Qantas breach in '
'July 2025).']},
'ransomware': {'data_exfiltration': ['data stolen and sold on dark web']},
'recommendations': ['Implement multi-factor authentication (MFA) and stricter '
'access controls for third-party vendors.',
'Conduct regular security audits of third-party software '
'providers, especially those handling customer data.',
'Enhance employee training to detect and prevent social '
'engineering attacks (e.g., fake IT helpdesk calls).',
'Develop a more comprehensive incident response plan, '
'including long-term support for affected customers '
'(e.g., identity theft protection).',
'Monitor dark web markets for exposed customer data and '
'proactively notify affected individuals.',
'Collaborate with industry peers (e.g., Qantas, other '
'airlines) to share threat intelligence and best '
'practices.'],
'references': [{'source': 'Class action lawsuit filing (Southern District of '
'New York)'},
{'source': 'Air France-KLM Group public disclosure (August '
'2025)'},
{'source': 'Unit 42 report on Scattered Spider targeting '
'airlines'}],
'regulatory_compliance': {'legal_actions': ['class action lawsuit (case '
'number: 1:25-cv-07634)']},
'response': {'communication_strategy': ['public disclosure in August 2025',
'customer advisories (likely)'],
'remediation_measures': ['complimentary credit monitoring '
'service for affected customers']},
'threat_actor': ['Scattered Spider group (alleged)', 'unknown cybercriminals'],
'title': 'Air France Data Breach via Third-Party Vendor (Salesforce) Leading '
'to Class Action Lawsuit',
'type': ['data breach', 'third-party breach', 'class action lawsuit'],
'vulnerability_exploited': ['weak cybersecurity safeguards in third-party '
'vendor (Salesforce)',
'social engineering targeting IT helpdesks']}