Australia’s flag carrier Qantas has become the latest victim in what appears to be a coordinated campaign against the aviation industry. The breach, detected on June 30, 2025, compromised data belonging to up to 6 million passengers and bears the hallmarks of Scattered Spider, according to cybersecurity experts.
While Qantas hasn’t officially attributed the attack to any specific group, investigators familiar with the incident believe it matches the notorious cybercriminal group’s methods. The timing is notable: just days before the Qantas announcement, the FBI issued a warning that Scattered Spider had expanded its targeting to include airlines.
The Breach Details
The attack targeted a third-party platform used by Qantas customer service, allowing hackers to access customer data including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The airline confirmed that passwords, credit card details, and passport information weren’t exposed.
Qantas detected unusual activity on the platform and immediately contained the system. The airline has notified Australian authorities including the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police.
Why Experts Point to Scattered Spider
A spokesperson from CyberCX, which aided in Qantas’ incident response, told ABC that the attack has “all the hallmarks” of a Scattered Spider operation. The group is known for targeting call centers and customer service platforms through social engineering attacks.
Charles Carmakal, chief technology officer of Google-owned Mandiant, said it was “too early to tell” if Scattered Spider was responsible but warned that airlines should be on “high alert” for social engineering attacks.
Aviation Industry Under Siege
Qantas joins a growing list of airlines that have suffered breaches in recent weeks:
WestJet Airlines (Canada) – Suffered a breach in mid-June affecting internal systems and customer app access. Security experts believe this attack is linked to Scattered Spider.
Hawaiian Airlines – Disclosed a cybersecurity event on June 26 that impacted IT systems. The airline hasn’t attributed the attack to any specific group.
The pattern suggests a coordinated shift in targeting. Scattered Spider has previously focused on retail and insurance sectors before moving to aviation.
The Scattered Spider Playbook
What makes Scattered Spider particularly dangerous is their mastery of social engineering. The group consists primarily of young, native English speakers from the US and UK, making their phone-based attacks particularly convincing.
Their typical tactics include:
1. Help Desk Targeting – Impersonating employees or contractors to trick IT help desks into resetting passwords or adding unauthorized devices to accounts.
2. MFA Bypass – Using techniques like “MFA fatigue” and SIM swapping to circumvent multi-factor authentication.
3. Insider Intelligence – Once inside networks, they actively monitor victims’ internal communications and have been known to join incident response calls to understand how they’re being hunted.
FBI Warning on Aviation Threats
The FBI’s recent warning about Scattered Spider targeting airlines proved timely. The agency stated that the group “target[s] large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
The bureau added that “once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.”
Real-World Impact
The Qantas breach has already had consequences beyond the initial data exposure. Australian customers report that they are receiving scam calls citing personal information that wasn’t part of the breach, demonstrating how cybercriminals combine data from multiple sources to create convincing attacks.
Qantas shares dropped 2.4% following the breach announcement, while the broader market gained 0.8%.
A Growing Threat
Scattered Spider gained notoriety in 2023 with attacks on MGM Resorts and Caesars Entertainment. The group has since expanded their targeting to include multiple industries, with recent attacks on insurance companies and UK retailers.
Despite multiple arrests of alleged members throughout 2024, the group continues operating. Their loose organizational structure and recruitment from a broader network of cybercriminals allows them to maintain operations even as law enforcement makes arrests.
Industry Response
The aviation industry’s vulnerability is particularly concerning given its critical infrastructure role. Airlines rely heavily on interconnected systems spanning reservations, flight management, baggage handling, and customer service, creating multiple attack vectors.
Aviation cybersecurity experts note that the sector’s reliance on third-party vendors, as evidenced by the Qantas attack, creates additional security challenges. The attack didn’t impact flight safety or operations, but it highlights the sector’s cybersecurity gaps at a time when air travel is recovering to pre-pandemic levels.
What’s Next
Whether or not Scattered Spider is definitively behind the Qantas breach, the incident underscores the growing threat to aviation cybersecurity. The group’s apparent shift to targeting airlines comes at a time when the industry is already dealing with staffing shortages and operational challenges.
For passengers, the breach serves as another reminder that even major corporations can fall victim to determined attackers. The combination of personal data from this breach with information from other sources creates ongoing risks for affected individuals.
As investigations continue, airlines worldwide are likely reassessing their security postures. The question isn’t whether more aviation breaches will occur, but how quickly the industry can adapt to defend against adversaries who have proven remarkably adept at exploiting human vulnerabilities in cybersecurity systems.
