Information pursuant to Art. 34 (1) GDPR on an unauthorized data access in January 2024

A security breach permitted access to an application belonging to our third party hotel booking service provider for overnight stays during the period from 2 November 2019 to 22 January 2024 resulting in an unauthorized data outflow. The application assists guests affected by a flight irregularity by issuing hotel accommodation vouchers. The data affected by the unauthorized data outflow is listed below.

The data records affected contained first and last names, gender, mobile phone numbers, information about travelling with an infant, the flight number of the cancelled flight, the voucher number and the day of the hotel booking. There is no evidence that any other customer data has been stolen or compromised. Neither payment details nor email addresses were visible to unauthorized persons at any time.

As soon as the breach was discovered, the affected IT system belonging to the external service provider was promptly deactivated and all necessary technical and organisational measures were implemented to remedy the situation and protect both customer data and IT systems. This ensured that any further unauthorized access was no longer possible.

The specific measures taken are as follows:

• All login details were updated
• Any further access attempts were thoroughly analysed including security tests of the software
• Checks were made to ascertain whether stolen data had been disclosed with no significant result
• The security of the installation process of future software releases was optimised
• IT security has been strengthened by automatically recognising, detecting and mitigating threats in the system
• Developers’ awareness has been enhanced through training

The IT system was only put back into operation after comprehensive security tests.

The unauthorized access may have made hackers aware of the day of the hotel stay due to a flight irregularity. There is also a residual risk that affected passengers may receive phishing attempts via text message or phone call.

After becoming aware of the unauthorized access and immediate deactivation of the system, IT specialists from the Lufthansa Group, the contracted service provider and additional specialised IT security service providers promptly initiated an investigation of the unauthorized access and implemented measures to protect your data.

Likewise, in accordance with our internal as well as statutory data protection regulations, the Lufthansa Group informed the competent data protection authority and carried out a joint review and assessment of the incident.

By the time both processes were complete, all those affected, for whom contact details were available, had been comprehensively informed.

The protection of personal data is a top priority for the Lufthansa Group. In addition to concrete actions as in the present case, the Lufthansa Group continuously uses technical and organisational measures to secure customer data. Lufthansa Group employees, partners and service providers are regularly trained on the topic of data protection and data security.


Lufthansa Group airlines would like to apologise for this incident and hope that it has not caused any inconvenience.

This article is for information and increased awareness only. For more information, please contact: hoteltool.information@lufthansa-group.com