A flurry of cyber incidents targeting airlines along with an FBI alert that airlines are being actively targeted with ransomware means carriers must be on high alert as we enter the busy summer travel season.
Three airlines have confirmed cyber incidents, including Australian airline Qantas, Canada’s WestJet Airlines and Hawaiian Airlines since June 2025.
On June 30, the FBI issued a warning that the threat group Scattered Spider is actively targeting airlines with ransomware and data extortion attacks.
Why Airlines’ Extensive Customer Information Makes Them a Goldmine
Airlines are just as vulnerable to cyber-attacks as any other organization, and the recent incidents appear to have been via third-party software as a service (SaaS) provider.
Qantas confirmed that the incident originated from a cybercriminal targeting a call center and gaining access to a third-party customer servicing platform.
The WestJet cyber incident involved its internal systems and the WestJet app. Meanwhile, the Hawaiian Airline’s incident affected some of its IT systems, but no other information on this has been shared to date.
Aviation services remain operational for the three airlines, and the main aim of the threat group appears to be data theft.
The targeting of SaaS suppliers is a typical modus operandi of the Scattered Spider cybercriminal collective, which has also been linked to recent attacks on retailers such as Marks & Spencer, The Co-op and Adidas.
While the physical operations airlines run airside often run on legacy IT and OT infrastructure that could be vulnerable to cyber-attack these are not at the center of the recent attacks.
Toby Lewis, global head of threat analysis at Darktrace, noted that taking down airline operations – which are typically considered critical national infrastructure (CNI) – is a much higher stakes play for a threat actor.
Speaking to Infosecurity, Lewis, said, “These airlines are not being targeted because they are airlines but because at their core, they’re retailers that handle high value transactions. If you want a group of individuals who have a couple of thousands worth of disposable income, then customers of an international airline are probably a good bet.”
Customers Urged to be on High Alert
It is not yet known how the attackers are seeking to monetize these hacks, but Lewis suggested that stolen data could be used to facilitate fraud operations against customers or sold on the dark web.
Qantas has confirmed that some customer data has been stolen, while WestJet and Hawaiian Airlines have not suggested any data has been stolen at the time of writing.
WestJet advised, “Guests and employees exercise additional caution at this time, especially when sharing personal information.”
Tenable’s cyber security research team has said that based on its own investigation, the data relating to the Qantas incident has not been sold by the threat actors yet.
For customers of affected airlines, Vonny Gamot, head of EMEA at online protection company McAfee, advised, “Assume you're affected – even if you haven't received notification, assume your information may have been compromised if you've been a customer. Companies often take weeks to identify all affected individuals.”
Password changes, monitoring of financial accounts and enabling multifactor authentication (MFA) are also key.
Customers of Qantas must also be on high alert for phishing attempts according to William Wright, CEO of Closed Door Security.
“These emails could be designed to look like genuine communications in relation to the incident but are actually aimed at tricking recipients into handing out their personal or financial information. It is therefore essential that customers take note of this threat and treat all communications around the incident with caution,” Wright said.
Airline Breaches Bear Hallmarks of Scattered Spider's Tactics
While affected airlines have shared some details of the recent attacks, none have been attributed to the hacking group thus far.
However, most industry experts have commented on the link between the type of attack and Scattered Spider’s recently observed tactics.
Will Thomas, Senior Threat Intelligence Advisor, Team Cymru, explained the tactics, techniques and procedures (TTPs) used by Scattered Spider in an interview with Infosecurity.
This loose collective of cybercriminals typically leverages social engineering to gain initial access to third-party IT providers, bypassing MFA.
It is also known that most of the group’s affiliates are young, English-speaking individuals based in western countries which gives them an advantage when carrying out such social engineering attacks.
The motivation for these attacks is primarily financial but with the big brands that have made the headlines, some argue they are also motivated by the desire to score a big win that impresses their peers.
Brett Winterford, VP of threat intelligence at Okta, commented: “Their targeting is opportunistic. If they enjoy success against a target in any given industry, they’ll rinse and repeat against similar organizations. We’ve observed this in attacks on the gaming sector, on the UK retail sector, on insurance and now in aviation.”
High-Profile Attacks Put Scattered Spider in Global Law Enforcement Crosshairs
Lewis noted that because of the high-profile nature of the incidents that have been aligned to Scattered Spider the group is likely to attract the attention of law enforcement globally.
There are many challenges however when it comes to pursuing such criminals and how to prosecute.
“Because there are much more loosely defined collectives that in itself presents a certain amount of operational security to how they operate. They're not all logging on to a single port, or all emailing each other in the sort of consolidated open architecture that you might have in the more established or more traditional cybercrime gang,” he explained.
Other considerations are the jurisdictions in which the criminals operate from which can prevent law enforcement from acting. While the group is understood to be based in western countries, they are globally distributed.