Qantas Airways was affected by a security incident that exposed the personal information of six million customers.

The cyber incident involved a breach of a third-party customer service platform.

The leaked sensitive details include names, email addresses, phone numbers, and birth dates.

Australia’s flagship carrier, Qantas Airways, recently disclosed a significant cyber incident involving a breach of a third-party customer service platform. The cyberattack targeted a call center platform used by Qantas.

The security breach compromised the personal data of approximately six million customers. Exposed information includes names, email addresses, phone numbers, birth dates, and frequent flyer membership numbers.

Yet, PINs, passwords, and login credentials were reportedly not affected, Reuters mentions in a recent report.

Qantas said it identified unusual activity on the platform and acted swiftly to contain the incident. The airline has since involved multiple agencies, including the Australian Cyber Security Centre and the Federal Police, to investigate the attack and assess the scale of the breach.

The breach comes amid heightened concerns about cybersecurity threats in the aviation sector. Recently, the FBI issued a warning regarding cybercriminal groups targeting airlines, emphasizing the tactics used by entities like the Scattered Spider group.

Known for leveraging social engineering techniques to impersonate IT staff, the threat actor has reportedly prompted breaches in other airlines, such as Hawaiian Airlines and Canada’s WestJet.

Andy Bennett, Chief Information Security Officer at Apollo Information Systems, noted the group’s move into aviation may reflect a natural evolution of their targeting. He further noted that transportation providers maintain extensive data on travelers for compliance, which could be valuable for refining social engineering attacks.

“Scattered Spider could use the type of data held by airlines to build very complete profiles of millions of individuals, including details on their families and relationships, if any travel or booking histories were included in the stolen information,” he said.

“Security fundamentals such as authenticator or token-based multifactor authentication (MFA), and not reusing passwords between systems, can go a long way,” Bennett added.

However, Charles Carmakal, Chief Technology Officer at cybersecurity firm Mandiant, urged caution, noting that while Scattered Spider has a known history of targeting airlines, it is too soon to attribute this breach directly to the group.

“We’re still in the early stages of analysis, and attribution requires clear technical indicators,” he said.

This event marks one of the most severe data breaches to strike the airline in years, raising fresh concerns about cybersecurity within the aviation industry.

Scattered Spider hackers hit major airline exposing six million flyers after FBI warning

The attack may have granted the cybercriminal group access to the personal information of six million people

Qantas confirmed that no credit card or passport information was stored on the breached system. (Image: AFP via Getty Images )

Australian airline Qantas warned customers that it had detected unusual activity on a third-party platform that stores personally identifiable information of six million people.

‌

The warning came mere days after the Federal Bureau of Investigation cautioned the aviation industry that the Scattered Spider ransomware attack group was focusing its efforts on transportation and aviation sectors. The cybercriminal group, which appears to be using two-factor authentication bypass measures, is known historically for its attacks on insurance and retail groups.

According to an FBI spokesperson, the attackers used “social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.”

Article continues below

Instagram down locking out thousands of users across the globe READ MORE:

The cyberattack group is known for impersonating employees to deceive IT desks into granting it access. (Image: Getty Images )

Scattered Spider is believed to be “a group of loosely affiliated individuals that collaborate and share their tradecraft in a forum called The Com,” Brett Winterford, vice president of threat intelligence at Okta, told Forbes. Its members are “globally distributed but most often from Western countries, they are motivated by profit but also motivated by the desire to score a big win that impresses their peers.”

‌

“If they enjoy success against a target in any given industry, they’ll rinse and repeat against similar organizations, Winterford said, echoing warnings from the FBI. The Qantas attack appears to be one such opportunity.

According to a statement issued by Qantas on July 2, the cyberattack occurred when one member of the hacker group targeted a call center and gained access to a third-party customer service platform. Qantas said it took no immediate action when it first learned of the attack on July 1, but in the days since has confirmed it is investigating the proportion of the potential data theft, which it said it expects “will be significant.” It also stated that the attack had no impact on the operations or safety of the airline itself.

In an update on Friday, Qantas said no further threats have been detected in the system, and that it remains secure. The airline also confirmed that no credit card details, personal financial information or passport details were stored on the system that was attacked.

Article continues below

“We are treating this incredibly seriously and have implemented additional security measures to further strengthen our systems,” Qantas Group CEO Vanessa Hudson said. “Our customers can be assured that we have the right expertise and resources dedicated to resolving this matter thoroughly and effectively.”

A flurry of cyber incidents targeting airlines along with an FBI alert that airlines are being actively targeted with ransomware means carriers must be on high alert as we enter the busy summer travel season.

Three airlines have confirmed cyber incidents, including Australian airline Qantas, Canada’s WestJet Airlines and Hawaiian Airlines since June 2025.

On June 30, the FBI issued a warning that the threat group Scattered Spider is actively targeting airlines with ransomware and data extortion attacks.

Why Airlines’ Extensive Customer Information Makes Them a Goldmine

Airlines are just as vulnerable to cyber-attacks as any other organization, and the recent incidents appear to have been via third-party software as a service (SaaS) provider.

Qantas confirmed that the incident originated from a cybercriminal targeting a call center and gaining access to a third-party customer servicing platform.

The WestJet cyber incident involved its internal systems and the WestJet app. Meanwhile, the Hawaiian Airline’s incident affected some of its IT systems, but no other information on this has been shared to date.

Aviation services remain operational for the three airlines, and the main aim of the threat group appears to be data theft.

The targeting of SaaS suppliers is a typical modus operandi of the Scattered Spider cybercriminal collective, which has also been linked to recent attacks on retailers such as Marks & Spencer, The Co-op and Adidas.

While the physical operations airlines run airside often run on legacy IT and OT infrastructure that could be vulnerable to cyber-attack these are not at the center of the recent attacks.

Toby Lewis, global head of threat analysis at Darktrace, noted that taking down airline operations – which are typically considered critical national infrastructure (CNI) – is a much higher stakes play for a threat actor.

Speaking to Infosecurity, Lewis, said, “These airlines are not being targeted because they are airlines but because at their core, they’re retailers that handle high value transactions. If you want a group of individuals who have a couple of thousands worth of disposable income, then customers of an international airline are probably a good bet.”

Customers Urged to be on High Alert

It is not yet known how the attackers are seeking to monetize these hacks, but Lewis suggested that stolen data could be used to facilitate fraud operations against customers or sold on the dark web.

Qantas has confirmed that some customer data has been stolen, while WestJet and Hawaiian Airlines have not suggested any data has been stolen at the time of writing.

WestJet advised, “Guests and employees exercise additional caution at this time, especially when sharing personal information.”

Tenable’s cyber security research team has said that based on its own investigation, the data relating to the Qantas incident has not been sold by the threat actors yet.

For customers of affected airlines, Vonny Gamot, head of EMEA at online protection company McAfee, advised, “Assume you’re affected – even if you haven’t received notification, assume your information may have been compromised if you’ve been a customer. Companies often take weeks to identify all affected individuals.”

Password changes, monitoring of financial accounts and enabling multifactor authentication (MFA) are also key.

Customers of Qantas must also be on high alert for phishing attempts according to William Wright, CEO of Closed Door Security.

“These emails could be designed to look like genuine communications in relation to the incident but are actually aimed at tricking recipients into handing out their personal or financial information. It is therefore essential that customers take note of this threat and treat all communications around the incident with caution,” Wright said.

Airline Breaches Bear Hallmarks of Scattered Spider’s Tactics

While affected airlines have shared some details of the recent attacks, none have been attributed to the hacking group thus far.

However, most industry experts have commented on the link between the type of attack and Scattered Spider’s recently observed tactics.

Will Thomas, Senior Threat Intelligence Advisor, Team Cymru, explained the tactics, techniques and procedures (TTPs) used by Scattered Spider in an interview with Infosecurity.

With a knack for deception, these young cybercriminals are turning the airline industry upside down. What ‘Scattered Spider’ is doing is both clever and alarming.

If you’re planning on flying out of Michigan this summer, pay careful attention to the emails you receive from your airline leading up to your departure.

What is Scattered Spider?

Scattered Spider is a cybercriminal group that targets large companies’ information technology for ransomware scams. This criminal organization is primarily made up of teens and young adults.

The FBI released a statement regarding the clever yet simple way these hackers work.

ALERT—The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.

FBI, Hackers, Aiports Canva loading…

READ MORE: Second Measles Outbreak Confirmed In Michigan

READ MORE: Second Measles Outbreak Confirmed In Michigan

Here’s how Scattered Spider works. They will gather information about an airline employee, then call the company’s IT department and say, “Hey, I bought a new phone, can you add this device to my account?” Once that happens, they can get through the two-factor authentication and control that employee’s account. That enables them to gather more information on other employees to continue the cycle.

Get our free mobile app

Now that they are targeting airlines, the FBI is concerned about urgent systems getting shut down for ransom.

Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims.

The earlier the FBI receives reports on these breaches, the better chance they will have to pause or eliminate the issue. Authorities ask that you contact your local FBI office immediately if you suspect your company has been targeted.

20 Most Commonly Hacked Passwords in Michigan and Indiana Tap here to get the full story. Gallery Credit: Dana Marshall

The Federal Bureau of Investigation (FBI) said that it has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.

“These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts,” the FBI wrote in a message on X, formerly Twitter. “They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”

The agency assessed that once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.

The FBI is actively working with aviation and industry partners to address this activity and assist victims. “Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. If you suspect your organization has been targeted, please contact your local FBI office,” it added.

Hawaiian Airlines and Canada’s WestJet confirmed that they were still assessing the fallout from recent cyberattacks, though the airlines did not name the perpetrators. More victims in the aviation industry could come forward, sources briefed on the investigation said.

WestJet said in a June 18 statement that it has made significant progress in safeguarding its digital environment and supporting the specialized teams working to resolve the cyber incident that began on June 13, 2025. “As soon as a cybersecurity incident was identified, we took immediate action, including but not limited to launching an investigation, engaging world-class third-party cyber security experts and forensic specialists, and notifying our people and guests of our ongoing efforts.”

“We are working as quickly as possible to assess any potential data in scope,” it added. “Our investigations are ongoing, and we will provide updates as appropriate in the future. We have engaged with law enforcement and are complying with our regulatory obligations in the meantime. The protection of our data is of utmost importance to us, and we thank all of our guests for their continued patience at this time.”

Hawaiian Airlines said in its latest cybersecurity update on June 26 that it “is continuing to address a cybersecurity event that has affected some of our IT systems. We continue to safely operate our full flight schedule, and guest travel is not impacted. As we navigate the ongoing event, we remain in contact with the appropriate experts and federal authorities. We will provide updates as more information is available.”

Mandiant (part of Google Cloud) is aware of multiple incidents in the airline and transportation sector that resemble the operations of UNC3944 or Scattered Spider.

Charles Carmakal, CTO and Board Advisor at Mandiant, recommended in a LinkedIn post that “the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks.”

He added that Mandiant published hardening guidance a few weeks ago that will help organizations defend against Scattered Spider and other groups that use similar TTPs. “This guidance is based on thousands of hours of responding to incidents and successfully eradicating these actors from victim networks. Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting. Regardless if your industry is currently targeted, organizations should review the below guidance to improve their defenses.”

Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42 by Palo Alto Networks, wrote in a LinkedIn post that “Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry. Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”

“Once inside, the group quickly escalates privileges, disables recovery systems, exfiltrates sensitive data, and detonates ransomware, often across hybrid cloud and on-prem infrastructure,” Anthony M. Freed, a research and communications director, wrote in a Monday Halcyon blog post. “In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.”

Freed noted that what sets Scattered Spider apart is its methodical preparation. “Operators study their targets closely, using breach data and social media to craft impersonations so realistic that even trained support staff may be fooled. The group is part of a loosely connected collective with ties to other criminal groups and has been active since at least 2021.”

He added that researchers stress that the core weakness isn’t always in technology—it’s in human-driven identity workflows. “Organizations must rethink how help desk authentication works, harden identity verification procedures, and ensure that employees are trained to spot and resist these kinds of sophisticated deception tactics.”

Last October, the Health Sector Cybersecurity Coordination Center of the U.S. Department of Health and Human Services released a profile on Scattered Spider, a financially motivated group active since 2022. The group has targeted multiple industries, including healthcare, using legitimate tools, malware, and ransomware variants. Known for advanced social engineering like voice phishing and AI-generated voice spoofing, Scattered Spider is expected to keep evolving its tactics, techniques, and procedures (TTPs) to avoid detection.

U.S. security agencies released in November 2023 a joint Cybersecurity Advisory (CSA) warning that the Scattered Spider cybercriminal group was targeting commercial facilities sectors and subsectors. The hackers are known for their involvement in data theft for extortion, utilizing various social engineering techniques. Additionally, they have recently incorporated the use of BlackCat/ALPHV ransomware alongside their usual TTPs.