Information in accordance with Art. 34 (1) GDPR about an unauthorized access to data in January 2024

In January 2024, a service provider commissioned by Lufthansa Group experienced an unauthorized access to an IT system used to make hotel bookings in the event of flight cancellations. In accordance with Art. 34(1) GDPR, the respective Lufthansa Group airlines are informing all affected passengers (provided that their email contact details were saved in the booking) to notify them of this incident and to explain the measures Lufthansa Group took immediately after becoming aware of it to protect customer data.

Informing passengers who have booked through travel agencies or tour operators

Provided that the travelers’ contact details were stored in the booking, the Lufthansa Group airlines are also informing all affected passengers who did not book directly with the Lufthansa Group airlines (i.e., via website, Service Center, ticket counter at the airport), but through travel agencies or tour operators. If contact details are missing, it will not be possible to inform customers. If your customers are potentially affected by unauthorized data access, please contact hoteltool.information@lufthansa-group.com as required.

What happened?

Accidental publication of login information allowed unauthorized access to our external service provider's hotel bookings application in which selective data relating to passengers could be viewed. The application supports passengers affected by a cancelled flight by issuing accommodation vouchers for hotels.

Which data is affected in detail?

Affected records contained first and last name, gender, mobile phone number, and reference to travel with a toddler, as well as flight number of the cancelled flight, voucher number and the day of the hotel booking. There is no evidence that any other customer data has been accessed. Payment details or email addresses were not visible to unauthorized persons at any time.

How did the Lufthansa Group airlines react?

Immediately after discovery of the access, the affected IT system of the external service provider was deactivated, and all necessary technical and organizational measures were implemented to rectify the problem and protect customer data and Lufthansa Group IT systems. Further unauthorized access was therefore no longer possible.

Specifically, the following measures have been taken:

• Renewal of all access data
• Intensive analysis of further access attempts, including security tests of the software
• Checking for publication of accessed data. There have been no findings of the data being published
• Improving the security of the installation process for future software versions
• Increasing security through automatic detection, tracking and mitigation of threats in the IT systems
• Raising developers’ awareness through training

Only after extensive security tests was the IT system put back into operation.

What are the possible consequences of the incident?

Through the access unauthorized third persons could have gained knowledge of the day of your customer's hotel stay due to a flight cancellation. There is also a residual risk that affected passengers may receive phishing attempts via text message or phone call.

Why are we informing you today?

After the discovery of the unauthorized access and the immediate deactivation of the system, IT specialists from Lufthansa Group, the commissioned service provider and additional specialized IT security providers immediately investigated the unauthorized access and implemented measures to protect customers’ data.

Lufthansa Group has also informed the responsible data protection authorities in accordance with both its internal and statutory data protection regulations and has undertaken a reappraisal and evaluation of the incident together with that data protection authority.

Now that both processes have been completed, we can inform you about the incident affecting customer data.

How do the Lufthansa Group airlines generally protect customer data?

Lufthansa Group gives the highest priority to the protection of personal data. Therefore, apart from specific measures as in the present case, the Group continuously uses technical and organizational measures to secure customer data.

Lufthansa Group employees, partners and service providers are regularly made aware of the challenges of data protection and data security.

The Lufthansa Group airlines would like to apologize for the unauthorized data access and hope that your customers were not inconvenienced by this incident.

This communication is for information only. Please give it your careful attention. If you or your customers require further information, please contact: hoteltool.information@lufthansa-group.com