On October 11, 2025, reports emerged that more than seven million customer accounts (with some sources estimating 23 million) linked to Vietnam Airlines (VNA) had been compromised in a major data breach.
The leak, traced to a breach in the airline’s Salesforce-based customer relationship management (CRM) platform, exposed personal data ranging from names and contact details to loyalty program information. It was a serious cybersecurity incident by any measure, yet the public response was curiously muted.
Initial signs of the breach did not come from Vietnamese authorities or media but from hacker forums and breach monitoring services abroad. In June 2025, attackers gained access to the CRM system used by VNA, but the data only surfaced in October when it was listed for sale online by the hacking group ShinyHunters.
The breach was independently verified by cybersecurity researchers and noted in databases such as Have I Been Pwned, with an estimated 7.3 million user accounts compromised.
VNA remained silent for more than two days after the data was made public, ultimately confirming the incident through an email notice to customers on October 14. Rather than addressing the specifics of the breach or offering a substantive apology, the notice began by emphasizing that VNA was merely one among several global companies affected.
The communication came across more as an attempt to deflect responsibility than to provide genuine reassurance or accountability. The delayed notice suggests that internal reviews and consultations with relevant authorities were prioritized over timely and transparent public communication.
Although a few domestic outlets eventually reported on the breach, their coverage was minimal and largely reactive – published only after the incident had gained attention in international cybersecurity circles. Most local reports simply cited the official VNA statement, omitting key details such as the estimated number of compromised accounts.
These reports tended to be terse, unanalytical and reliant on translated summaries of foreign cybersecurity sources rather than independent investigation. Mainstream outlets offered limited context or follow-up, even as international platforms sounded alarms over the scale and implications of the data leak.
As of October 15, the incident has disappeared from the front pages of leading state-run news agencies such as VnExpress, Tuoi Tre and Thanh Nien.
This limp news coverage fits within a broader media culture in Vietnam, where reporting on failures involving national flagship entities – particularly those with links to the state or military – is often censored or constrained. Journalists may delay publication until official statements are released or avoid editorialising on issues that touch on governance or public confidence in state institutions.
The result is an information environment where citizens must often turn to foreign tech blogs, breach databases or social media to access timely information about their personal data security. In a country undergoing rapid digitalization, this gap between threat and transparency is becoming increasingly problematic.
Several factors likely contributed to the slow and subdued response. Institutional caution played a significant role, as Vietnam Airlines – a key state-affiliated enterprise – faces considerable reputational and regulatory risk when publicly admitting a data breach.
The involvement of Salesforce, an international cloud-based platform, added a layer of third-party complexity that may have prompted both Vietnamese media and officials to delay comment until the circumstances were fully clarified with foreign stakeholders.
Furthermore, longstanding information control norms in Vietnam have favored quiet crisis containment over immediate transparency, particularly when incidents touch on strategic infrastructure or national reputation.
While these tendencies are not unique to Vietnam, they pose particular challenges in the cybersecurity space, where rapid response and clear communication are critical to minimizing harm. Despite the seriousness of the breach, public-facing advisories remained limited.
While the media relayed VNA’s suggestion that users change their passwords or guard against phishing scams, there was no genuine sense of urgency conveyed in official communications. Urgent warnings circulated mainly through cybersecurity forums and tech-focused social media channels, rather than the mainstream media, where most affected users could have been reached.
This lack of proactive outreach not only increases user vulnerability but also erodes trust. As Vietnam becomes more digitally integrated – with cloud computing, e-government services and cross-border data flows – a reactive posture to cyber threats will no longer suffice.
Vietnam Airlines’ data breach should serve as a turning point in how digital incidents are reported, managed and communicated. The technical failure, while serious, is not what stands out most. Nor is VNA necessarily at fault for the breach. Rather, it is the slow trickle of information, the lack of clarity and the silence in places where public warning should have been loudest.
As Vietnam seeks to attract foreign investment for its burgeoning digital economy, this relatively closed-door, reactive approach to cybersecurity becomes a significant liability. International partners and domestic users alike require a framework of trust that can only be built on transparency – something this breach proves is still under construction.