Why it matters

In summer 2025, the aviation industry suffered its most severe cyber crisis to date. Within three weeks, three major airlines—WestJet, Hawaiian Airlines, and Qantas—fell victim to a coordinated series of attacks by a group known as Scattered Spider.

Over 6.9 million passenger records were stolen, and the breaches revealed something deeper than poor passwords or unlucky timing: the fragility of an entire global system built on digital trust.

The Summer of the Aviation Siege

It began quietly. On 13 June 2025, WestJet, Canada’s second-largest airline, reported what looked like a minor IT disruption—website outages, app failures, flight check-in delays.

Days later, investigators discovered the truth: unauthorised access to passenger databases containing 1.2 million records, including names, itineraries, passport numbers, and government ID scans. The breach wasn’t random. It was a surgical strike on a trusted vendor connection—an early move in what experts now call the Aviation Siege.

By late June, Hawaiian Airlines had joined the casualty list. While its flights kept running, the company admitted a breach that exposed sensitive customer data and internal operational files.

Then came the coup de grâce. On 1 July, Qantas Airways—Australia’s flagship carrier—confirmed that hackers had infiltrated a Salesforce-based customer-service platform, compromising 5.7 million customer profiles. The stolen data included contact details, frequent flyer records, and even passenger meal preferences—information that could easily be weaponised for targeted phishing and identity theft.

Security analysts soon connected the dots: these were not isolated events. They were coordinated, methodical, and unmistakably the work of Scattered Spider.

The Anatomy of an Airborne Heist

Scattered Spider is not a nation-state actor in the traditional sense. It’s a loose network of skilled, mostly English-speaking cybercriminals known for social engineering—manipulating people, not machines.

Rather than brute-forcing firewalls or deploying zero-day exploits, they exploit the oldest vulnerability in cybersecurity: human trust.

1. WestJet: Credential Stuffing and Cloud Exploitation

The group began by launching a credential-stuffing campaign, using login details stolen from earlier breaches to access WestJet’s Microsoft Cloud and Citrix environments.

Once inside, they impersonated IT staff to reset employee passwords and escalate privileges. No ransomware, no obvious malware—just manipulation, stealth, and patient escalation.

2. Qantas: The Salesforce Supply-Chain Breach

In Qantas’s case, the attackers didn’t go straight for the airline. They went for its outsourced call-centre provider in the Philippines, which used Salesforce to manage customer queries.

By posing as legitimate Qantas employees, the hackers tricked call-centre staff into granting them administrative access. From there, they quietly siphoned off millions of customer records.

The breach didn’t stop at Qantas. The same Salesforce vulnerability was used against multiple global brands—Disney, IKEA, Toyota, and Google among them.

It was a textbook demonstration of supply-chain contagion: one compromise spreading across hundreds of trusted organisations.

The Human Cost

Behind the numbers were real people whose lives were disrupted.

“I still haven’t received any direct information from Qantas,” said Ebe Ganon, one of the affected passengers. “I’ve had to pay for my own identity monitoring. It’s expensive and stressful”

Unlike credit cards, travel documents such as passports can’t simply be cancelled. Once compromised, they can be used to build synthetic identities—allowing criminals to create entirely new digital personas using fragments of real data.

The psychological toll is equally damaging: the erosion of trust between passengers and the airlines they depend on.

Counting the True Cost

Short-Term Shock

• Qantas: 2.2% share price drop in July 2025; pledged two years of free identity-theft monitoring for customers

• WestJet: facing regulatory investigations in Canada

• Hawaiian Airlines: ongoing remediation costs and third-party contract reviews

Long-Term Fallout

Cybersecurity budgets across major airlines are now set to rise 15–20% through 2026.

At Qantas, executive bonuses were cut by 15%, including a £250,000 reduction to the CEO’s package—a rare admission that cyber failure is a leadership failure, not a technical mishap.

Regulators in multiple jurisdictions have opened inquiries into vendor accountability and data-handling practices.

What the Attacks Revealed

The Aviation Siege of 2025 exposed three systemic weaknesses in the sector.

1. Third-Party Risk: The Weakest Link

Every airline affected was compromised through a vendor—not their own core systems. Attackers know that smaller partners often have weaker controls but still hold the keys to valuable data.

Airlines must now shift to a “zero-trust” vendor model, enforcing least-privilege access, continuous monitoring, and financial penalties for non-compliance.

2. The Human Factor

Social engineering bypasses even the best technology.

The industry must treat people as part of the security perimeter, not outside it.

That means realistic training, strict verification for password resets, and a cultural shift where every employee—whether a pilot or a call-centre worker—feels responsible for cyber hygiene.

3. Regulatory Lag

The existing rules simply haven’t kept up.

The US Transportation Security Administration’s 24-hour breach-reporting rule, for example, has been criticised as “unrealistic and disconnected from operational realities”.

The aviation sector needs adaptive regulation that focuses on outcomes, not checklists—and promotes intelligence-sharing across borders.

Building the Future: From Compliance to Resilience

To prevent the next industry-wide collapse, experts point to three levels of action.

Immediate Steps

• Adopt phishing-resistant multi-factor authentication (e.g. hardware keys rather than text-message codes)

• Audit all vendor access points, especially those involving customer data

• Tighten employee verification for any system reset or remote access

Medium-Term Strategies

• Implement full Zero-Trust Architecture across all networks and cloud services.

• Share real-time threat intelligence through trusted aviation and government channels.

• Integrate response plans that consider multi-airline and supplier breaches.

Long-Term Vision

• Treat cybersecurity as a shared defence, not a competitive differentiator

• Push for harmonised international standards on vendor security

• Invest in workforce development to close the industry-wide cybersecurity skills gap

A Crossroads for Global Aviation

The 2025 attacks weren’t just digital heists—they were a referendum on trust.

Airlines operate on an implicit contract with their passengers: that safety extends from the cockpit to the cloud. Scattered Spider proved that promise is now broken.

As Professor Matt Warren of RMIT University observed, “The crucial takeaway is to emphasise security rather than focusing solely on maximising shareholder profits”.

The siege may have ended, but the battle for aviation’s digital future is far from over.

Whether the next decade brings resilience or ruin depends on whether the industry learns from its own near-collapse—or repeats it at 35,000 feet.