NEW YORK- Air France (AF) is facing a class action lawsuit in New York following a cyberattack that potentially exposed sensitive passenger data. The case, filed by plaintiffs Ethan Allison and Arya Soofiani, claims the airline failed to prevent a foreseeable breach.
The cyber incident, linked to a third-party vendor’s software, may have compromised personal details of passengers who recently contacted Air France or KLM Royal Dutch Airlines (KL, AMS).
Lawsuit Targets Air France Over Data Breach
In mid-August, the Air France–KLM Group admitted that its customer data was affected after a third-party vendor supplying support software was hacked.
The compromised system, reportedly provided by Salesforce, exposed customer information, including names, contact details, frequent flyer status, and subject lines of service request emails.
The lawsuit, filed in the Southern District of New York (Case No. 1:25-cv-07634), accuses Air France of negligence, arguing it lacked adequate cybersecurity safeguards and staff training to detect and stop intrusions.
Plaintiffs claim the airline’s response failed to protect passengers from potential identity theft risks. According to PYOK, the plaintiffs argue that Air France should have foreseen the threat given recent attacks on major aviation companies.
Timeline and Vendor Involvement
Although Air France publicly disclosed the breach in August, reports suggest the incident may have occurred weeks earlier.
Salesforce—the same U.S.-based software company used by Qantas (QF, SYD)—was targeted in a similar cyberattack in early July. The breach affected multiple global brands, including Cartier, Louis Vuitton, and Pandora.
In both the Air France and Qantas cases, hackers are not believed to have accessed credit card or passport information. However, cybersecurity experts warn that even limited data can be exploited for phishing or social engineering scams.
KLM (KL, AMS) has cautioned passengers about phishing attempts that may follow. In these scams, victims receive emails designed to appear as official airline communication, urging them to click on malicious links or provide personal information.
Clicking such links can install malware or redirect users to fake websites that capture sensitive data.
Experts warn that this breach highlights growing vulnerabilities within the aviation industry. Cybercriminal groups like Scattered Spider are increasingly using social engineering to trick IT helpdesks into granting unauthorized access, often by impersonating legitimate employees.
Air France’s Response
In response, Air France–KLM is offering affected passengers complimentary credit monitoring services for several months. However, the lawsuit argues this solution does not address the “lifelong harm” potential victims might face.
Plaintiffs claim the airline must take greater responsibility for securing customer data and improving cybersecurity training.
As the case proceeds, it underscores an urgent challenge for the aviation sector—strengthening data protection amid growing reliance on third-party digital systems.
Stay tuned with us. Further, follow us on social media for the latest updates.
Join us on Telegram Group for the Latest Aviation Updates. Subsequently, follow us on Google News
