Cyber Incidents Are Testing the Resilience of Global Airlines

By Danny Bradbury • 15 July 2025

The next time you slowly amble down an aeroplane aisle, spare a thought for the incredible work that got you there, from aviation engineering through to operators that keep over 5,000 planes in the air at any one time; the aviation industry faces mind-boggling challenges.

In the last couple of decades, they’ve had yet another thing to contend with: cybersecurity threats. Last month, we saw some examples of what happens when intruders get inside their systems.

Three Cyber Attacks In One Month

In early June, Westjet, one of Canada’s most popular airlines, first realized that something was amiss in its systems. The company had been hit by a cyber incident, which had prevented users from logging into its website and mobile app.

Westjet was quick to address the problem, as it detailed on its advisory page over the next few days. However, this wasn’t an isolated incident. The airline was one of three that suffered attacks. Qantas and Hawaiian Airlines were also hit.

Hawaiian Airlines detected its own breach on June 23 and disclosed it three days later via a terse message on its site. Its flight schedule was operational, and guest travel was not affected, it said.

Then, it was Australia’s turn. Its Qantas airline saw unusual activity on a third-party platform used by its contact centre. The attacker managed to pilfer customer names, addresses, phone numbers, birth dates, and frequent flyer numbers.

On July 2, Qantas stated that it had service records for six million customers on the platform and expected the proportion of stolen data to be “significant”. However, the thieves didn’t get away with payment information, it added.

These attacks look coordinated. Scattered Spider, the threat group also presumed responsible for attacks on the MGM Grand Casino and, more recently, Marks & Spencer, had turned its attention to the airline sector, warned the FBI.

According to the Bureau, the criminal group compromises employee accounts by visiting help desks and impersonating employees or contractors, convincing operators to give them account access. It will then often convince those operators to add MFA access to the accounts, locking out the legitimate users. Sources indicated that the airline attacks appeared to be the work of this group.

A Decade Of Digital Turbulence

This isn’t the first time an airline has faced a cyber attack. 2015 saw Polish airline LOT suffer a DDoS attack that prevented it from issuing flight plans, leaving 1,400 passengers stranded and 20 flights cancelled.

Three years later, attackers nobbled British Airways by compromising a BA network account issued to an employee at cargo handling company Swissport. A lack of MFA enabled the attackers to compromise the account and exploit a vulnerability in Citrix to gain access to the wider BA network. From there, they accessed credentials on a Windows domain administrator account stored in plain text. The attacker, Magecart, planted JavaScript on the airline’s website and stole the payment card details of 380,000 customers. BA escaped with a £20m fine, slashed from £183m.

Incidents like these are frequent enough to have blotted the aviation industry’s copybook. Security management software company Security Scorecard gives the sector a ‘B’ on cybersecurity. It isn’t a failing grade, says the organization, but it makes companies in this sector almost three times more likely to suffer a breach than those in A-rated sectors.

Regulators Take Notice

That’s no wonder, given the sprawling attack surface for most airlines. It isn’t just administrative systems that are a target. Operational systems, ranging from equipment at the airport to in-flight equipment, are also under threat.

Most aviation breaches are administrative, focusing on passenger and payment information rather than the aircraft themselves; however, things would become far more serious if someone were to target operational technology on planes in flight. To date, such hacks have mostly been proof-of-concept tests. However, regulators are still taking preventative measures. The FAA proposed new rules last year to protect aircraft systems.

The US Transportation Security Administration (TSA) imposed new cybersecurity rules on airport and aircraft operators in 2023, including network segmentation requirements. The EU published the Implementing Regulation (EU) 2023/203 (Part-IS) in October 2022, which outlines rules for identifying and managing security risks in aviation organizations. That comes into force this year.

Building Resilient Aviation Operations

What can aviation companies do to protect themselves against growing cyber risk? Although the regulatory standards are sector-specific, regulators have, in some cases, made the effort to overlap with ISO 27001. While aviation industry organizations may need to undertake additional work to meet specific aviation safety requirements outlined in Part-IS, they are nevertheless “consistent and aligned with ISO-IEC 27001,” according to the EU Aviation Safety Agency (EASA).

The security measures that aviation companies need to put in place aren’t rocket science. The TSA’s focus is on network segmentation policies and access controls to stop intruders from breaching your network. Admonishments to patch software also show up. Recommendations like these are even more common than bathroom queues on a long-haul flight.

Much like not smoking on a flight, adopting good cybersecurity practices on aviation networks is non-negotiable. Having passenger account data stolen is bad enough, but without effective protection, the outcomes of a more concerted attack by an operator driven by something other than profit could be far, far worse.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work.