Air France is facing a class action lawsuit in New York after a cyberattack exposed customer information tied to its global operations. The lawsuit, filed by plaintiffs Ethan Allison and Arya Soofiani, alleges that the airline failed to adequately safeguard passenger data from a foreseeable breach.
The complaint, lodged in the U.S. District Court for the Southern District of New York (Case No. 1:25-cv-07634), centers on a mid-August disclosure by the Air France–KLM Group. The company acknowledged that customer data had been compromised through a third-party vendor supplying support software — later identified as Salesforce.
Breach Through Third-Party Vendor
According to the airline, the incident stemmed from a cyberattack targeting Salesforce, a U.S.-based customer relationship management platform used by both Air France and KLM Royal Dutch Airlines. The breach reportedly exposed passenger names, contact details, frequent flyer statuses, and the subject lines of customer service emails.
No credit card or passport data was believed to have been accessed, but cybersecurity analysts warned that even limited personal information could enable phishing or social engineering attacks. “Hackers can use such data to create convincing fake emails that trick users into disclosing additional sensitive information,” one industry expert noted.
KLM, Air France’s sister carrier, has since urged passengers to be vigilant against phishing attempts. The airline warned of fraudulent messages posing as official communications, designed to lure victims into clicking malicious links or providing login credentials. Such attacks, experts say, can install malware or redirect users to counterfeit websites that harvest data.
Legal Claims of Negligence
The plaintiffs allege that Air France “failed to implement reasonable cybersecurity measures” and “lacked adequate staff training to detect and prevent intrusions.” The complaint accuses the airline of negligence, contending that its systems and policies fell short of industry standards despite growing threats to aviation networks.
According to PYOK, a legal news outlet, Allison and Soofiani argue that Air France should have anticipated the danger, given a wave of recent cyber incidents affecting major travel and retail companies. The plaintiffs claim that the airline’s response has been insufficient to shield customers from risks such as identity theft, fraudulent account access, and reputational damage.
The lawsuit further asserts that the airline’s offer of temporary credit monitoring “does not mitigate the lifelong harm potential victims might face” as a result of the breach.
Timeline of the Cyberattack
While Air France publicly confirmed the data breach in August, investigators believe the compromise may have occurred several weeks earlier. Salesforce, the implicated vendor, was also targeted in a similar attack in early July — one that affected several international brands, including Cartier, Louis Vuitton, and Pandora.
Cybersecurity analysts have drawn parallels between this incident and a broader pattern of attacks involving social engineering techniques. Groups such as Scattered Spider have gained notoriety for impersonating IT staff to gain unauthorized access to enterprise systems. These sophisticated intrusions, experts say, demonstrate the vulnerabilities created by global dependence on interconnected digital vendors.
“The aviation industry is particularly exposed because of its reliance on shared IT platforms and third-party service providers,” said one cybersecurity researcher specializing in transportation infrastructure. “Even if airlines invest heavily in internal security, they remain only as strong as the weakest vendor in their network.”
Air France’s Response and Industry Implications
Following the disclosure, Air France–KLM said it had taken immediate steps to contain the breach and enhance monitoring of its digital systems. The company has also begun offering affected passengers complimentary credit monitoring and identity theft protection for several months.
Still, plaintiffs argue that these measures fail to address underlying systemic weaknesses. They contend that Air France must adopt stricter data governance protocols and improve employee cybersecurity training to prevent future breaches.
The case underscores a growing challenge for global airlines: balancing digital transformation with robust data protection. As carriers increasingly rely on third-party cloud providers and customer engagement platforms, they face heightened exposure to cyber risk and regulatory scrutiny.
For Air France, the lawsuit could set a precedent for how courts evaluate corporate responsibility in third-party data breaches. For the broader aviation sector, it serves as a reminder that cybersecurity is no longer a back-office issue — it is now central to passenger trust and brand reputation.
As the case proceeds through the Southern District of New York, its outcome may influence how airlines, technology vendors, and regulators address shared accountability in protecting customer information.
