The airline issued a warning to customers following the revelation that passengers' personal data had not been stored securely by an external service provider.
According to a press release, a "security incident" took place at an unnamed external company which had been tasked with contacting Luxair customers travelling on disrupted or delayed flights. The communication largely involved issuing meal vouchers or hotel reservations.
It later transpired the external provider hosted its data in the cloud, which, according to Luxair, was "not adequately secured" and therefore meant passenger data was accessible online. Although the airline was unable to confirm whether the private information had been subjected to hackers or not, it warned customers to remain vigilant in the event such a leak had taken place.
The breach concerns any Luxair customers who received communication via text message regarding meal vouchers or hotel reservations following a delay or cancellation, between November 2020 and 4 July 2023.
While Luxair declined to name the external company involved, the airline confirmed that the provider's services had been suspended until further notice.
Customers affected are advised to exercise caution in case of phishing scams (messages purporting to be from Luxair with the aim of extracting personal information, such as credit card details). Luxair recommends not opening attachments or links in suspicious emails and warns against sharing personal information via email.
In the event customers receive scam emails or messages, they are advised to report the matter to Bee-Secure.
An email address has been set up for passengers who would like more information on this data leak: data.breach@luxairgroup.lu
