FBI warns travelers of Scattered Spider cybercriminal group hacking into major airlines’ systems

A sophisticated hacker group known as Scattered Spider is targeting major airline systems in a series of cyberattacks  – putting passengers’ personal information at serious risk, the has FBI warned.

The Federal Bureau of Investigation (FBI) issued an urgent alert on X last month, warning travelers that a cybercriminal group – previously focused on retail and insurance – has now expanded its attacks to include the aviation industry.

Nicknamed Scattered Spider, the dangerous hacker group uses slick ‘social engineering’ tricks, like pretending to be airline employees, to sneak their way into highly protected internal systems.

Once they’re in, they swipe sensitive data – then hold it hostage, demanding a payout to keep it from being leaked or sold, the agency explained.

According to the FBI, the hackers often go a step further  – locking up entire systems with ransomware, leaving them completely unusable until the hefty ransom is paid. 

‘They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,’ the warning read.

On June 27, the FBI warned the millions of daily air travelers that the notorious hacker group Scattered Spider started infiltrating the transportation industry, and often gain access by impersonating employees or contractors.

Using what the FBI referred to as ‘social engineering techniques’ – Scattered Spider is known to trick company’s IT help desks into letting them inside the secure internal systems. 

Last month, Delta Air Lines (pictured) locked access to some frequent flyer accounts due to cybersecurity concerns discovered earlier that week, affecting ‘a large number of customers’ – possibly up to 68,000

One of their go-to tactics is tricking IT desks into adding fake devices – disguised as routine ‘help’ – which then allow the hackers to slip past key security measures like multi-factor authentication. 

‘Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware,’ the FBI wrote.

‘The FBI is actively working with aviation and industry partners to address this activity and assist victims,’ they added. ‘Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise.’

Brett Winterford, vice president of threat intelligence at Okta, described Scattered Spider as a loosely connected group of young hackers – mostly from Western countries – who collaborate and share techniques in an online forum called TheCom, as reported by Forbes.

While money is their main motivation, Winterford said that they’re also driven by ‘the desire to score a big win that impresses their peers,’ according to the outlet.

They don’t stick to one type of target – if they succeed in attacking one company in an industry, they will try the same trick on similar companies again and again. 

‘If they enjoy success against a target in any given industry, they’ll rinse and repeat against similar organizations,’ Winterford added.

This is just the latest troubling news in the aviation world – the same tactics seem to be behind the recent cyberattack on Qantas. 

Brett Winterford (pictured), vice president of threat intelligence at Okta, described Scattered Spider as a loosely connected group of young hackers who work together in an online forum – motivated by both money and praise from peers

On Monday, Qantas – Australia’s largest airline – confirmed a major data breach that could have impacted up to six million customers. 

In a statement on its website, Qantas said it detected unusual activity on a third-party customer service platform used by one of its call centers.

A cybercriminal reportedly targeted the call center, breaking into the customer service platform – but Qantas said they locked down the breach shortly afterward. 

‘There are six million customers that have service records in this platform,’ the statement said. ‘We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.’

‘An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers,’ it added.

However, the airline also assured customers that credit card details, personal financial information and passport data were not stored in the compromised system. 

In an update on Friday, Qantas said the group believed responsible for the incident remained unclear and that it had not received a ransom request. 

Now, the biggest danger is that the stolen data could be used for fraud or even identity theft.

A cybercriminal reportedly targeted the call center, breaking into the customer service platform – but Qantas said they locked down the breach shortly afterward (stock photo)

Airlines have since been urged to strengthen their security after the massive hack left the aviation giant vulnerable to potential legal consequences.

Last month, in a strikingly similar case, Delta Air Lines locked access to some frequent flyer accounts due to cybersecurity concerns discovered earlier that week – but didn’t immediately inform the affected customers, The Hill reported. 

The issue came to light when a customer – who happened to be a TV reporter in Pennsylvania, according to The Hill – was unable to access his Delta account or change his password. 

When the reporter dug deeper, a Delta reservations agent revealed that the airline was dealing with ‘concerns about a potential security breach’ affecting ‘a large number of customers’ – possibly up to 68,000. 

Although customers were asked to verify their identity by uploading a photo of a valid government ID, a Delta spokesperson insisted that SkyMiles accounts remained secure and said the credential resets were carried out ‘out of an abundance of caution,’ according to the outlet.