The data breach at Air France–KLM demonstrates how vulnerable organizations can be through their digital supply chain. In 2018, it became known that personal data of hundreds of thousands of customers had been accessed by unauthorized parties. This did not involve a hack of the airline group’s core systems, but an incident at an external party that provided CRM services.
CRM (Customer Relationship Management) is software that organizations use to manage customer data, communication, and service processes. Precisely because these systems are rich in personal data, they form an attractive target. For executives, this type of incident is confronting: even when their own IT security is in order, a vulnerability at a supplier can directly lead to reputation and compliance problems. The Air France–KLM incident underscores that digital boundaries in practice coincide with those of suppliers and partners.
What went wrong in the external CRM environment
According to publicly disclosed information, attackers used compromised login credentials from an external service provider that performed CRM work for Air France. This supplier worked with the CRM platform of Salesforce, a globally widely used cloud solution for customer management. The software itself was not hacked; the weak point was in the use and management of accounts. With valid usernames and passwords, attackers could access customer data for a period, including names, contact details, and Flying Blue numbers. For non-technical readers, this is an important insight: many data breaches do not arise from “high-tech hacks,” but from abuse of legitimate access. This makes such risks difficult to detect and emphasizes the importance of strict access control, monitoring, and clear agreements with external parties about security.
The impact: more than just a privacy incident
Although no payment data or passwords were compromised, the impact was significant. Air France–KLM had to inform customers, involve supervisors, and manage reputational damage. In the aviation sector, where trust and safety are central, a data breach can lead to long-term skepticism among customers. Additionally, the incident brought costs for forensic investigation, legal support, and improvement measures.
For executives, this is recognizable: the greatest damage from a supply-chain incident often lies not in direct financial losses, but in organizational distraction, loss of trust, and increased regulatory pressure. This also applies to medium-sized organizations, where the relative impact of such incidents is often even greater because resources are more limited.
Supply chain risk in the digital customer chain
This incident is a typical example of supply chain risk, but in the digital customer chain. Customer data is collected, processed, and stored through multiple parties: internal departments, cloud suppliers, and external service providers. Each link adds value but also introduces risk. What stands out is that CRM suppliers are often deeply integrated into operations while remaining outside the direct view of management and CISO. Contracts focus on functionality and cost savings, less on security, auditing, and incident response. The data breach at Air France–KLM makes clear that organizations must know who has access to their customer data, under what conditions, and with what oversight. Without that insight, effective risk management is impossible.
Executive lessons: from trust to verify
An important lesson for executives is that trust in reputable suppliers is not sufficient. “Trust, but verify” applies also – and perhaps especially – to large, well-known parties. This means that management must ask explicit questions about access management, logging, and incident handling at suppliers. For CISOs, the challenge lies in translating these questions into concrete requirements without getting bogged down in technical details. Consider periodic checks, mandatory use of additional security steps when logging in, and clear agreements about reporting obligations in case of incidents. The Air France–KLM incident shows that governance around suppliers is not an administrative burden, but an essential part of business continuity and reputation protection.
Relevance for Dutch medium-sized organizations
Although Air France–KLM is a large international player, the lessons are very relevant for Dutch medium-sized organizations. They also make intensive use of external CRM systems, marketing platforms, and cloud services. Precisely because these solutions are efficient and scalable, risks are sometimes underestimated. The incident shows that digital supply chains often reach further than thought and that one weak link is sufficient for a data breach.
Positive is that more and more organizations are learning from this by structurally assessing supplier risks and placing responsibility at the executive level. By explicitly linking supply chain risk to customer trust and reputation, the topic becomes tangible and manageable. That is the most important gain from this incident: awareness that leads to more mature decision-making in a digital chain.
