These 3 Airlines Were Cyberattacked In The Last 3 Weeks—Here’s What We Know

In the past three weeks, three major global airlines—WestJet (Canada), Hawaiian Airlines (U.S.) and Qantas (Australia)—have publicly confirmed cyberattacks impacting their systems. These breaches have left many wondering if cybersecurity experts are right to suspect that more carriers may have been targeted by the same hacker group responsible for these incidents.

WestJet reported a cybersecurity incident beginning June 13, affecting internal systems and potentially customer access to its app and website. In a Securities and Exchange Commission filing, Hawaiian Airlines disclosed a cybersecurity event that began on June 23 and affected certain information technology systems.

The FBI recently warned it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector” and that “anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.” Charles Carmakal, chief technology officer of Mandiant, a cybersecurity firm and a subsidiary of Google, wrote on Linkedin of “multiple incidents in the airline and transportation sector" resembling Scattered Spider's tactics, suggesting other airlines may have been targeted.

Qantas Airlines, Australia’s flagship carrier, reported that a cyber incident had occurred Monday in one of its contact centers, exposing records for as many as 6 million customers. However, importantly, no credit card details, personal financial information, passport details or frequent flyer account information were held in the system.

Scattered Spider is a loose community of hackers that has been credited with many high-profile cyberattacks in recent years, including the 2023 ransomware attacks on MGM Resorts and Caesars Entertainment. The group is primarily composed of young adults and some teenagers, mainly native English speakers based in the United States, Canada and the United Kingdom.

Scattered Spider is best known for using sophisticated social engineering tactics like phishing, SIM swapping and impersonation to bypass multi-factor authentication security processes. “Something they do probably better than any other group out there is social engineering, and a big part of that success is the Western accent,” Carmakal said.

Once they’ve infiltrated a company’s system, a hacker group may not reveal itself immediately. Alex Waintraub, a cyber crisis management expert at Waintraub Cyber Solutions who has worked on hundreds of ransom cases, told Forbes. “In a lot of cases, they’ll move laterally and search for a cyber insurance plan or an incident response plan or a breakdown of the company’s financials as a way of assessing their demand.”

The goal is to arrive at the highest number that the company would be willing to pay in return for the stolen information. “I don’t want to say there’s honor amongst thieves because that gives them a little too much credit,” Carmakal said. “But I think these groups understand the business model, and they’re going to comply with the business model so that they can continue to make money. And that model requires them to stay true to their word.”

Why Are Airlines Being Targeted In Cyber Attacks?

“Aviation is data rich and companies often have older legacy systems that are interconnected with a bunch of third-party platforms,” Waintraub said. “They have massive troves of personal data and loyalty program data and travel information, and that makes them a nice target.”

One possibility for the timing, suggested Carmakal, is simply that it’s peak travel season with a holiday weekend coming up. “These threat actors are not just motivated by money,” he said. “They do like the ego. They like being able to brag to their friends and say that they are responsible for this news story or this outage.”

Scattered Spider’s modus operandi has been to swoop into a sector and select multiple targets before moving on. “They tend to stick with that sector for a few weeks and go after big organizations,” Carmakal said. “It doesn’t have to be the biggest.”

Which Other Airlines, If Any, Have Been Attacked?

“Pretty much every North American airline is on high alert because they’ve heard the warning,” Carmakal said. “You usually see disclosures happen weeks after the fact—but not every company has to disclose. It depends on how far the attacker went. Victim organizations may not yet have gotten to the point in their investigation that they know if data was stolen.”

Should Consumers Be Worried That Their Personal Data Was Exposed?

“Consumers are generally protected by the major financial institutions if credit card numbers are exposed,” Carmakal said. If a credit card number is used by a bad actor, for example, “you’re going to get a new credit card and you're not going to be liable for any fraudulent purchases.”

He says identity theft is harder to protect against and acknowledges that “Social Security numbers have been stolen so many times and are generally available to any threat actor that wants to have access to them.” As a general common-sense precaution, he recommends freezing your credit with the three major U.S. credit bureaus (Equifax, Experian and TransUnion) to prevent anyone from taking out credit in your name.