Scattered Spider Targets Airlines: How a Notorious Hacking Group Is Exploiting Aviation During Peak Travel Season

Summer travel season is supposed to be a time of excitement—adventures, family reunions, and business trips that cross continents. But in 2025, as travelers packed their bags, a chilling warning rippled through the aviation industry: the infamous Scattered Spider hacking group had set its sights on airlines. Major carriers like Hawaiian Airlines, WestJet, and now Qantas have all fallen victim to sophisticated cyberattacks, sending shockwaves through an industry already under pressure.

If you’re a frequent flyer, work in aviation, or simply wonder how cyber threats evolve, this isn’t just headline news—it’s a wake-up call. Let’s dive deep into what’s happening, why it matters, and how airlines (and you) can stay one step ahead of cybercriminals.

Who Is Scattered Spider? Unmasking a Modern Cybercrime Syndicate

Before we unpack the recent airline breaches, let’s clarify: Who exactly is Scattered Spider?

A Shadowy Collective With Many Names

You might hear them referred to as Muddled Libra, UNC3944, Starfraud, Scatter Swine, Octo Tempest, or 0ktapus. Under any alias, Scattered Spider is one of the world’s most notorious cybercrime groups—a loose, highly adaptive collective known for high-stakes hacking campaigns.

Their specialty? Social engineering. Rather than relying solely on high-tech exploits, they trick real humans—corporate help desk staff, IT support, and sometimes even executives—into handing over the keys to the digital kingdom.

A Track Record of Devastation

Scattered Spider isn’t new to the big leagues. Their 2023 breaches of MGM Resorts and Caesars Entertainment reportedly cost those companies millions and paralyzed operations for days. In the months leading up to their focus on airlines, they blitzed sectors like retail (Marks & Spencer, Harrods, Adidas) and insurance (Aflac, Philadelphia Insurance Companies), often targeting third-party services vital to business operations.

Why does this matter?

Because, as we’ll see, any large industry with complex networks and outsourced support functions is on their radar—and airlines are about as high-value as it gets.

Airline Cyberattacks in 2025: What Happened at Qantas, Hawaiian, and WestJet?

In June 2025, as travelers scrambled for summer flights, a series of coordinated attacks rocked the airline industry.

The Qantas Breach Explained

On June 30, 2025, Qantas detected “unusual activity” on a third-party platform used by its contact center. Within hours, the company contained the incident. The affected system held:

Some customers’ names, emails, phone numbers, and birth dates
Frequent Flyer numbers (but no passwords or login details)
No credit card, financial, or passport information

Qantas’ own core systems remained untouched. But here’s the kicker: experts quickly recognized the tactics as classic Scattered Spider.

“Qantas’ cyber breach bears the hallmarks of Scattered Spider, the same group behind recent attacks on Hawaiian Airlines, WestJet, and Marks & Spencer—likely through compromising a third-party SaaS platform like Salesforce or Zendesk.”
— Toby Lewis, Global Head of Threat Analysis at Darktrace

A Broader Pattern Emerges

The attacks didn’t stop at Qantas. In the same week, Hawaiian Airlines and Canada’s WestJet also reported breaches. Security researchers and incident responders linked all three to Scattered Spider, noting:

Reliance on advanced social engineering (impersonating staff, bypassing help desks)
Targeting of third-party platforms critical to airline operations
No immediate financial impact for passengers, but large-scale data exposure

Why Airlines Are Now Prime Targets

Airlines are uniquely vulnerable because:

They store vast amounts of sensitive data—from passenger PII to flight schedules.
They rely on call centers and help desks, often outsourced or staffed by contractors.
Their operations are highly interconnected with third-party IT providers.

“Airlines’ complex global networks and supply chains make them prime targets. Infiltrations can quickly escalate, leading to substantial ransoms or stolen data being sold on the dark web.”
— Brijesh Singh, Cybersecurity Expert and ADG of Police, Maharashtra

The Anatomy of a Scattered Spider Attack: Social Engineering as a Superpower

You might think hackers always use mind-bending code. But Scattered Spider’s real weapon? Understanding and exploiting human behavior.

How Do These Attacks Work?

Reconnaissance: The attackers mine social media, LinkedIn, and company websites for employee names, titles, and even help desk scripts.
Impersonation: Using stolen or publicly available info, they call corporate help desks, pretending to be legitimate employees or contractors.
Manipulation: They convince support staff to reset passwords or add unauthorized devices to multi-factor authentication (MFA) systems.
Persistence: Once inside, they search chat tools like Slack or Teams, monitor remediation calls, and even join internal video conferences to stay ahead of security teams.
Exfiltration/Extortion: Sensitive data is stolen for ransom or sold. Sometimes, as with MGM, ransomware is deployed to cripple operations.

Example: The MGM Playbook

In 2023, Scattered Spider impersonated an MGM employee. A help desk worker, following standard script, reset their credentials. The result? Hackers gained system access, leading to a $100 million loss and a 36-hour shutdown.

Why Are Help Desks So Vulnerable?

Let me explain. Help desks—especially in large, customer-facing industries—are often:

Outsourced, with high turnover
Staffed by employees who may lack deep organizational context
Trained to follow scripts, not challenge unusual requests

Multi-factor authentication (MFA) was supposed to fix this. But if the attacker convinces staff to add a new device or change a password, even MFA becomes a paper shield.

“The assumption with MFA is that if the user passes the second factor, they are a legitimate user. In many cases, MFA may not be OTP-based but rather secret questions—like ‘your mother’s maiden name’—which are too easy to guess or obtain through social media.”
— Sunil Varkey, Advisor at Beagle Security

Why Is This a Crisis Now? Timing, Opportunity, and the Summer Travel Surge

It’s not just what Scattered Spider is doing—it’s when they’re doing it.

Hitting Airlines at Their Most Vulnerable

Peak travel season means:

Increased call volume and operational stress on airline help desks
More contractors and temporary staff, sometimes with less training
Higher stakes for disruption—outages or delays can ruin vacations and cost millions

FBI and Industry Warnings

When the FBI issues a public alert, it’s time to pay attention. In July 2025, the bureau warned:

Scattered Spider is expanding attacks to include large airlines and their third-party vendors
Attackers use sophisticated social engineering—often impersonating employees or contractors
Once inside, they steal data for extortion and often deploy ransomware

Multiple cybersecurity giants, including Palo Alto Networks Unit 42, Google’s Mandiant, and Darktrace, echoed these concerns.

The Third-Party Problem: How SaaS Platforms Became High-Value Gateways

You might never think about the software that powers airline call centers or loyalty programs. But attackers do.

Third-Party SaaS Platforms Under Siege

Most airlines (and many large businesses) use third-party services like Salesforce, Zendesk, or custom platforms for:

Customer support
Booking management
Loyalty and rewards programs

These systems are treasure troves of customer data. If compromised, the ripple effects can be massive.

Why Third Parties Are Attractive Targets

Wider attack surface: Hackers only need to breach one vendor to potentially reach dozens of clients.
Slower response: Vendors may be slower to detect and report breaches.
Shared credentials: Poor security hygiene can mean reused passwords or insufficient MFA.

Real-World Example

In the Qantas breach, the attack was traced back to a third-party platform—not Qantas’ own IT environment. This echoes a trend seen across retail and insurance in recent months.

How Airlines (and Enterprises) Can Fight Back: Practical Cybersecurity Measures

The good news? While Scattered Spider is cunning, their tactics aren’t unstoppable. Here’s what airlines, vendors, and even individuals can do:

1. Harden Help Desk Processes

Enforce strict identity verification before resetting passwords or adding MFA devices.
Use contextual clues (recent travel, device usage, known contacts) to validate requests.
Regularly train help desk staff to spot social engineering red flags.

2. Upgrade MFA and Authentication

Move beyond simple secret questions—implement hardware tokens or app-based MFA.
Monitor for suspicious MFA device changes and require additional approvals for high-risk actions.

3. Third-Party Risk Management

Vet vendors for security posture before onboarding.
Require timely breach reporting and regular security audits in contracts.
Limit third-party platforms’ access to sensitive data—provide only what’s necessary.

4. Incident Response and Internal Monitoring

Assume attackers may already be inside—monitor for unusual account activity.
Proactively hunt for threats across Slack, Teams, and email platforms.
Keep incident response plans updated and run regular tabletop exercises.

5. Communication and Transparency

Notify affected users promptly if a breach occurs.
Share clear steps users can take to protect themselves (like resetting passwords).
Maintain open lines with law enforcement and industry information-sharing groups.

Why This Matters to Travelers, Not Just CIOs

If you’re not running an airline, you might wonder: “What does this have to do with me?” Let’s break it down.

For Frequent Flyers and Travelers

Data like names, contact info, and loyalty numbers can be used for phishing or scam attempts.
Be wary of unsolicited emails or texts claiming to be from your airline—verify before clicking links.
Use strong, unique passwords for airline accounts and enable MFA if available.

For Businesses and Enterprise Leaders

No industry is immune—Scattered Spider’s playbook could target retail, insurance, or even healthcare next.
Investing in employee training and third-party security is no longer optional—it’s essential.
Transparency with customers builds trust, even in the wake of a breach.

FAQ: Scattered Spider Airline Attacks

Q1: What is Scattered Spider and why are they targeting airlines now?
A: Scattered Spider is a notorious cybercrime group known for social engineering attacks on large enterprises. In 2025, they shifted focus to airlines, exploiting the industry’s reliance on third-party platforms and call centers during the busy summer travel season.

Q2: Was my credit card or passport data stolen in the Qantas breach?
A: According to Qantas, no credit card, personal financial, or passport data was compromised. Exposed information included names, contact info, birth dates, and Frequent Flyer numbers.

Q3: How do these hackers bypass security measures like MFA?
A: They often trick help desk staff into resetting passwords or adding unauthorized devices to MFA systems by impersonating employees. Weak verification methods or scripted support processes make these attacks easier.

Q4: What can airlines do to prevent similar breaches?
A: Airlines should strengthen help desk authentication, upgrade MFA methods, rigorously vet third-party vendors, monitor internal systems, and provide ongoing staff training on social engineering threats.

Q5: How can travelers protect their accounts after a breach?
A: Use unique, strong passwords for airline accounts. Be cautious with emails or calls claiming to be from airlines. Monitor your loyalty accounts for unusual activity and enable two-factor authentication where possible.

Q6: Is this trend likely to spread to other industries?
A: Yes. Scattered Spider has a history of focusing on one sector before pivoting to others. Retail, insurance, finance, and now airlines have all been recent targets.

Key Takeaway: Staying Ahead of Social Engineering Threats

Scattered Spider’s pivot to airlines is a stark reminder: in today’s digital world, human trust is often the weakest link. Whether you’re running a help desk, booking your dream vacation, or managing a global enterprise, vigilance is your best defense.

Here’s the bottom line—attackers will always look for the easiest way in, and that’s often through people, not just technology. By tightening verification processes, investing in smart security, and staying alert to evolving tactics, we can keep our data (and our travel plans) safer.

Want more expert insights on cybersecurity and digital resilience? Subscribe to our newsletter or explore our latest guides on defending against modern cyber threats. Safe travels—and stay secure!

References

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

The Business Case for Agentic AI SOC Analysts: How Next-Gen Automation Future-Proofs Your Security Operations

Green Bay Packers Pro Shop Data Breach: What You Need to Know

North Korean Crypto Hackers Unleash Nim-Based Mac Backdoor: What Every Web3 & Crypto Startup Needs to Know

Massive Android Fraud Uncovered: How IconAds, Kaleidoscope, SMS Malware, and NFC Scams Are Attacking Your Phone

Understanding Digital Signatures: The Key to Authenticity