Three airlines hit by cyberattacks in three weeks, Scattered Spider to blame: Qantas leads with most damage

In a dramatic escalation of cyber threats to global aviation, three major airlines—WestJet (Canada), Hawaiian Airlines (USA), and Qantas (Australia)—have confirmed cyberattacks in the last three weeks, with all signs pointing to the notorious hacking group Scattered Spider as the culprit.

A wave of attacks across continents

• WestJet reported a cybersecurity incident beginning June 13, which disrupted internal systems and restricted access for users of its app and website. The airline responded by launching an investigation, engaging top-tier cybersecurity experts, and notifying both customers and authorities. While operations remained stable, WestJet warned that some guests might experience intermittent digital service interruptions as they worked to resolve the issue.
  
• Hawaiian Airlines announced a “cybersecurity event” on June 26 affecting certain IT systems. The airline emphasized that flight operations and guest safety were not impacted, but it was working with federal authorities and cybersecurity specialists to assess the extent of the breach and restore affected systems. Hawaiian Airlines has committed to providing updates as the investigation continues.
  
• Qantas confirmed a cyber incident on June 30, which compromised the data of approximately six million customers via a third-party customer service platform. While the breach did not include financial or passport data, it underscored the sector’s vulnerability to sophisticated cyber threats.
  

The scattered spider threat

Scattered Spider, also known as UNC3944, is a loosely organized group of primarily English-speaking young men known for their advanced social engineering tactics. They specialize in tricking employees and contractors into granting access to sensitive systems, often using phishing, SIM swapping, and impersonation. Once inside, they may deploy ransomware or sell access to other cybercriminals.

Charles Carmakal, CTO of Mandiant (Google Cloud), noted:


“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider. The actor’s core tactics, techniques, and procedures have remained consistent, meaning organizations can take proactive steps like training help desk staff to enforce robust identity verification and deploying phishing-resistant MFA to defend against these intrusions.”

The FBI issued a warning on June 27, alerting the aviation industry that Scattered Spider is expanding its focus and that "anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk". The agency urged early reporting of suspicious activity to facilitate rapid response and intelligence sharing across the sector.

Cybersecurity experts warn that these attacks are likely just the beginning. Airlines are attractive targets due to their vast stores of personal data, reliance on legacy IT systems, and complex networks of third-party vendors. The recent attacks have not disrupted flight operations but have exposed significant vulnerabilities in digital infrastructure.

As investigations continue, authorities and cybersecurity professionals are urging all airlines to strengthen digital defenses, enhance employee training, and implement multi-factor authentication to guard against increasingly sophisticated threats.