Questions and answers about the data privacy incident

There was a case of unauthorised access to the IT infrastructure of a Lufthansa Group service provider concerning the app used by the Lufthansa Group to issue hotel vouchers in case of flight irregularities. Some data sets of affected guests could be viewed.

The affected data includes the first and last name, gender, mobile phone number (if entered), information about trips with an infant, flight number, voucher number and the day of the hotel booking. Other data such as payment details or email addresses were not affected.

The incident occurred because login details for our external service provider's IT infrastructure were temporarily visible to third parties. This led to unauthorised access to the IT systems. This access was immediately blocked after the incident was detected.

The incident was detected during an internal security check which showed irregularities concerning access to the contracted service provider’s IT systems.

No, the reviews have not found any evidence for more cases of unauthorised access or the publication of data.

There is no immediate risk for you. In the worst case, you could be contacted by unauthorised individuals, e.g. in connection with your overnight stay at the hotel.

Possible consequences could include affected people getting contacted by unauthorised individuals, e.g. via phishing attempts by text message or phone calls. There is a small risk that someone will attempt to misuse the acquired data in order to access personal data or act with fraudulent intent. However, the general risk can be regarded as limited because no sensitive details such as payment details or email addresses were affected.

There are no immediate steps required on your part. However, the Lufthansa Group recommends staying vigilant and looking out for suspicious attempts to contact you including phishing messages or unexpected phone calls.

After the discovery of the incident, the IT system of our external service provider was immediately deactivated, and measures were adopted to resolve the issue and protect your data.

All login data was renewed, the software security was tested and further potential accessing scenarios were reviewed. No evidence for the publication of the data was found. Moreover, the installation procedures of our external service provider were improved, and the external developers’ awareness of IT security was increased.

Following comprehensive security reviews and the implementation of additional safeguards, the security of the external system was ensured. Furthermore, the Lufthansa Group continuously uses state-of-the-art security technologies, and focuses on regular training of its external operators.

Yes, affected customers were directly informed by the Lufthansa Group as soon as all required information was available and the coordination with the relevant regulatory body for data protection and information security had been completed.

The investigation of the incident, the coordination with the data protection authority and the implementation of comprehensive safeguards took time. Once these processes had been fully completed, we informed you immediately.

We are contacting you by email because your email address has been safely stored on our internal system which was not affected by the incident. This enables us to inform you reliably and swiftly about the incident, even though only mobile phone numbers were accessed. In this way, we can ensure that you receive all the important information and that you may be alerted to potential risks such as phishing attempts.

Protecting your data is of utmost priority to the Lufthansa Group. For this purpose, various technical and organisational measures are employed to protect your personal information. This includes modern encryption technologies, regular security updates as well as access monitoring. The IT systems of the Lufthansa Group are continuously checked for security flaws, and employees receive regular training for dealing with data protection and data security.

Yes, we immediately reported the incident to the Hessian officer for data protection and freedom of information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit). Working closely together with the authorities, all required measures for evaluating the incident and ensuring conformity with data protection law were put into action.