I was notified by haveibeenpwned at the weekend. I have no status or loyalty program with VN, no login to the VN website, but I did buy a couple of cash tickets via a third party OTA for internal flights within Vietnam in May and early June 2025. So the basic of basic details existed about me in VNs systems, yet I was in scope of the breach. And they didn't let me know about the breach which as an EU/UK data subject they should have, by law.
Here's what HIBP said for me:
Email Found:
xxx@xxxxxxxxxx
Breach:
Vietnam Airlines
Date of Breach:
June 2025
Breached Accounts:
7.32 million
Compromised Data:
Dates of birth, Email addresses, Loyalty program details, Names, Phone numbers
Description:
In October 2025, data stolen from the Salesforce instances of multiple companies by a hacking group calling itself "Scattered LAPSUS$ Hunters" was publicly released. Among the affected organisations was Vietnam Airlines, which had 7.5M unique customer email addresses exposed following a breach of its Salesforce environment in June of that year. The compromised data also included names, phone numbers, dates of birth, and loyalty program membership numbers.