Based on Luxair’s information, the incident at their external service provider was a data breach resulting from inadequate security measures, potentially exposing customer data. Photo: Shutterstock

Based on Luxair’s information, the incident at their external service provider was a data breach resulting from inadequate security measures, potentially exposing customer data. Photo: Shutterstock

On Friday 18 August 2023, Luxair, Luxembourg’s premier airline, disclosed that a data breach involving an external service provider has occurred, potentially exposing sensitive passenger data. Customers are urged to remain vigilant, especially against phishing attempts that may mimic official Luxair communications.

This alarming development has raised concerns among Luxair’s vast clientele about the safety of their personal information.

Data breach

Luxair’s association with its service provider revolves around managing flight disruptions. The provider is primarily tasked with assisting Luxair in communicating with its customers during flight delays, ensuring they receive meal vouchers and facilitating hotel reservations when required.

However, it has come to light that the service provider’s cloud server, where crucial data was hosted, was inadequately protected. Despite previous guarantees of stringent data protection standards, this vulnerability provided potential unauthorised access to Luxair customer data.

Passengers who faced disruptions in their flights between November 2020 and 4 July 2023 may be particularly at risk. Their booking data, details regarding meal vouchers, hotel reservations or even SMS disruption notifications might have been exposed to unauthorised third parties. Luxair emphasised, however, that the mere accessibility of this data doesn’t confirm that all of it was indeed accessed by malicious actors.

Immediate response and current status

Upon discovery, swift action was taken to bolster the server’s security, sealing off potential access points for external threats. Pending a thorough investigation and to ensure passenger data security, services offered by the provider, namely vouchers and hotel bookings, have been temporarily suspended.

Guidance for affected customers

In light of these events, Luxair is urging its passengers to remain vigilant. There’s a heightened risk of phishing attempts, especially through communications impersonating Luxair's official branding.

To ensure safety, Luxair advises passengers to scrutinise email attachments and verify the domain name of the sender. The SPAMBEE initiative is available for . Customers should abstain from sharing confidential data via emails. Keeping electronic devices updated is crucial and any unusual cyber activity should be reported to BEE-SECURE, Luxembourg’s initiative for promoting safe IT practices. 

For passengers requiring further details or with lingering concerns, Luxair has established a dedicated communication line. Queries can be directed to their Data Protection Officer at .

As Luxair navigates through this challenging episode, the emphasis is on reinforcing digital security measures and ensuring the trust of their customers remains intact. Passengers are equally encouraged to stay alert and safeguard their information diligently.

Related articles