Qantas has become the latest in a growing list of airlines targeted by cybercriminals, as the FBI warns of an escalation in sophisticated hacking attacks believed to be orchestrated by a group known as Scattered Spider.
Australia’s flagship carrier said it was investigating a breach of a third-party customer service platform that exposed the personal data of up to 6 million customers. The data, stored in a call centre database, included names, email addresses, birth dates, phone numbers and frequent flyer information — though not financial details. Qantas shares fell 2.5% on the news.
The airline told the Financial Times that early indicators point to Scattered Spider, a group notorious for its social engineering tactics and suspected links to several recent cyber-attacks across the aviation and retail sectors.
The group is thought to have used “vishing” — or voice phishing — to manipulate a call centre employee into providing access.
The incident comes just days after a formal alert from the FBI, which said the group had “expanded its targeting to include the airline sector”.
In a post on X last Friday, the bureau warned: “These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access… Once inside, [they] steal sensitive data for extortion and often deploy ransomware.”
Scattered Spider, also tracked under names such as UNC3944 by cybersecurity researchers, is composed largely of young, English-speaking hackers based in the US and UK. The group specialises in infiltrating large corporations via their third-party IT providers or contractors — a method that bypasses traditional perimeter defences.
Cybersecurity firms, including Google and Palo Alto Networks, have corroborated the FBI’s assessment, saying they have observed heightened activity from the group targeting aviation companies since early June.
Multiple airlines targeted
The breach at Qantas follows cyber incidents at two North American airlines. In mid-June, WestJet and Hawaiian Airlines both confirmed they were investigating cyberattacks. Neither airline attributed the attacks to a specific group, but the timing and method align with Scattered Spider’s tactics.
American Airlines also experienced a system disruption on Friday, though the company said it was a “technology issue” and stopped short of linking it to a cyber-attack.
“We are working with our partners to fully resolve the issue,” a spokesperson said, noting that while delays were reported, no flights were cancelled.
Scattered Spider is also suspected of being involved in May’s cyberattacks on several UK retailers, including Marks and Spencer, according to multiple people familiar with incident response investigations. In those cases, the attackers similarly gained access via third-party service providers and attempted extortion after exfiltrating sensitive data.
Expert warnings
The aviation industry’s heavy reliance on external vendors has made it a lucrative target, experts say.
“With Qantas the latest victim in a string of attacks against airlines, attackers are likely to be further emboldened,” said James Neilson, SVP International at cybersecurity firm OPSWAT. “Airlines hold vast amounts of sensitive customer information, and when that data is stolen, it damages customer trust and provides criminals with a valuable, resalable asset.”
He added that integrating third-party providers into airline operations requires stricter controls. “Minimum security standards must be established, with regular audits and system segmentation. Multi-factor authentication and endpoint integrity checks are essential.”
Dr Darren Williams, CEO and founder of BlackFog, echoed those concerns. “The aviation industry is under immense pressure to deliver seamless service, and cybercriminals are exploiting that pressure,” he said.
“These attacks are increasingly about monetising data through extortion or by selling it on the dark web for identity theft and phishing.”
As travel surges during the summer season, industry leaders are urging airlines and their partners to reassess their cyber resilience and incident response protocols.
“The threat is real, it’s active, and it’s evolving,” Williams said. “Operators must remain vigilant — customer trust and operational integrity are on the line.”
