Topline
Within the past three weeks, three major global airlines—WestJet (Canada), Hawaiian Airlines (U.S.) and Qantas (Australia)—have publicly confirmed cyberattacks impacting their systems, and cybersecurity experts say more carriers may have been targeted.
In the past three weeks, the same hacker group has breached three global airlines—WestJet, Hawaiian ... More
WestJet reported a cybersecurity incident beginning June 13, affecting internal systems and potentially customer access to its app and website.
In a Securities and Exchange Commission filing, Hawaiian Airlines disclosed a cybersecurity event that began June 23 and affected certain information technology systems.
On June 27, the FBI warned it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector” and that “anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
Charles Carmakal, chief technology officer of Mandiant, a cybersecurity firm and a subsidiary of Google, wrote on Linkedin of “multiple incidents in the airline and transportation sector" resembling Scattered Spider's tactics, suggesting other airlines may have been targeted.
Qantas Airlines, Australia’s flagship carrier, reported Wednesday that a cyber incident had occurred Monday in one of its contact centers that exposed data for as many as 6 million customers.Multiple news outlets reported last week that Delta Air Lines locked access to some customers’ SkyMiles frequent flier accounts—but the airline confirmed to Forbes the actions were precautionary and “not the result of any breach of Delta or vendor systems.”
Scattered Spider is a loose community of hackers that has been credited with many high-profile cyberattacks in recent years, including the 2023 ransomware attacks on MGM Resorts and Caesars Entertainment and, more recently, against the British retailer Marks & Spencer and the insurance company Aflac. The group is primarily composed of young adults and some teenagers, mainly native English speakers based in the United States, Canada and the United Kingdom, Carmakal told Forbes. The group is best known for using sophisticated social engineering tactics like phishing, SIM swapping and impersonation to bypass multi-factor authentication security processes. “Something they do probably better than any other group out there is social engineering, and a big part of that success is the Western accent,” Carmakal said. “When they pretend to be a 24-year-old employee at a company in the United States or the United Kingdom, they sound credible because they're 24 years old and they're based in the United States or the United Kingdom.” Once they’ve infiltrated a company’s system, a hacker group may not reveal itself immediately, Alex Waintraub, a cyber crisis management expert at CYGNVS who has worked on hundreds of ransom cases, told Forbes. “In a lot of cases, they’ll move laterally and search for a cyber insurance plan or an incident response plan or a breakdown of the company’s financials as a way of assessing their demand.” The goal is to arrive at the highest number that the company would be willing to pay in return for the hackers returning stolen information. “I don’t want to say there’s honor amongst thieves because that gives them a little too much credit,” Carmakal said. “But I think these groups understand the business model, and they’re going to comply with the business model so that they can continue to make money. And that model requires them to stay true to their word.”
“Aviation is data rich and companies often have older legacy systems that are interconnected with a bunch of third-party platforms,” Waintraub said. “They have massive troves of personal data and loyalty program data and travel information, and that makes them a nice target.” One possibility for the timing, suggested Carmakal, is simply that it’s peak travel season with a holiday weekend coming up. “These threat actors are not just motivated by money,” he said. “They do like the ego. They like being able to brag to their friends and say that they are responsible for this news story or this outage.” Scattered Spider’s modus operandi has been to swoop into a sector and select multiple targets before moving on. “They tend to stick with that sector for a few weeks and go after big organizations,” Carmakal said. “It doesn’t have to be the biggest.”
Carmakal said he’s aware of “a number of airlines” that have made changes in an effort to block Scattered Spider from compromising their systems. “It might be a little bit more painful for employees to take certain actions like resetting passwords,” he said. “People are taking the threat very seriously. You know, when you see a particular threat actor basically rinse and repeat over and over again across multiple victims in the same sector, people take notice.”
Which other airlines, if any, have been attacked. “Pretty much every North American airline is on high alert because they’ve heard the warning,” Carmakal said. “You usually see disclosures happen weeks after the fact—but not every company has to disclose. It depends on how far the attacker went. Victim organizations may not yet have gotten to the point in their investigation that they know if data was stolen.”
“Consumers are generally protected by the major financial institutions if credit card numbers are exposed,” Carmakal said. If a credit card number is used by a bad actor, for example, “you’re going to get a new credit card and you're not going to be liable for any fraudulent purchases.” He says identity theft is harder to protect against and acknowledges that “Social Security numbers have been stolen so many times and are generally available to any threat actor that wants to have access to them.” As a general common-sense precaution, he recommends freezing your credit with the three major U.S. credit bureaus (Equifax, Experian and TransUnion) to prevent anyone from taking out credit in your name.
Inside The Ransomware Attack That Shut Down MGM Resorts (Forbes)