Japan Airlines (JAL) has disclosed a significant data breach affecting its same-day luggage delivery service, with personal information of up to 28,000 customers potentially compromised. The incident, announced on February 10, 2026, raises important security concerns for foreign residents who frequently use the airline's convenient baggage transport services. According to NHK, the breach occurred when JAL's reservation system for its airport-to-hotel luggage delivery service was targeted by unauthorized external access. The compromised service allows travelers to have their baggage transported directly from airports to hotels or other destinations, eliminating the need to carry heavy luggage on public transportation—a feature particularly popular among international travelers and business visitors. The exposed data includes customer names and telephone numbers, information that could potentially be exploited for phishing attempts or other fraudulent activities. While JAL has not disclosed the exact timeline of the breach or how long unauthorized parties had access to the system, the maximum number of affected customers stands at approximately 28,000 individuals who used the service during the vulnerable period. For expats living in Japan, this breach serves as a reminder of the importance of monitoring personal accounts and being vigilant against suspicious communications. Those who have used JAL's same-day luggage delivery service should be particularly cautious about unexpected phone calls or messages claiming to be from the airline or related service providers. Scammers often exploit breached data to create convincing phishing attempts, using legitimate customer names and partial information to gain trust. The incident highlights broader cybersecurity challenges facing Japan's aviation and logistics sectors. As airlines increasingly digitize their services to enhance customer convenience, they also expand their vulnerability to cyberattacks. JAL's luggage delivery service, which bridges the gap between air travel and ground transportation, relies on integrated booking systems that collect and store customer data—making such platforms attractive targets for malicious actors. JAL has not yet provided detailed information about the specific security measures that failed or what steps are being implemented to prevent future breaches. The airline also has not announced whether affected customers will receive direct notification or what compensation, if any, might be offered. This lack of detailed communication may leave customers uncertain about their exposure level and appropriate protective measures. Foreign residents should take proactive steps to protect themselves. First, if you have used JAL's luggage delivery service recently, monitor your phone for suspicious calls and avoid sharing additional personal information with unsolicited callers claiming to represent JAL or affiliated companies. Second, consider changing passwords for any JAL-related accounts or loyalty programs, even though the breach reportedly did not involve account credentials. Third, be skeptical of emails or messages requesting personal information or payment details, even if they appear legitimate. The timing of this breach is particularly concerning as Japan enters its busy spring travel season, when many expats and visitors utilize airport services extensively. Business travelers and families returning from overseas trips frequently rely on luggage delivery services to simplify their journeys, making this a high-traffic period for such platforms. As investigations continue, affected customers should watch for official communications from JAL through verified channels. The airline's official website and customer service hotlines remain the most reliable sources for updates and guidance. This incident underscores the need for all travelers in Japan to maintain awareness of data security risks and practice good digital hygiene, even when using services from established, trusted companies. While JAL works to address this security failure, the breach serves as an important reminder that convenience-focused services require robust cybersecurity protections to safeguard customer trust and personal information.