Scattered Spider Airline Hacks Show Why Cybersecurity Starts with Your People

This month, multiple airlines in the U.S. and Canada experienced cyberattacks linked to a group known as Scattered Spider, according to statements from the FBI and private security experts. While flight operations weren’t affected, the incidents have drawn attention across industries due to the tactics used and the group’s recent activity in other business sectors.

Scattered Spider is not new to investigators. In the past year, they’ve been linked to attacks on major hotel chains, insurance companies, and retailers. Their approach is persistent and methodical, often involving social engineering—tricking customer service or IT support teams into granting access—and using that access to gather data or deploy ransomware.

Details of the Airline Cyberattack by Scattered Spider

• The group targeted multiple companies in the airline ecosystem—not just the airlines themselves, but also IT contractors and service vendors with access to airline systems.
• Once inside, they stole sensitive data and, in some cases, deployed ransomware—locking critical files and demanding payment to restore access. The stolen data likely included internal documents, employee credentials, and possibly customer records. In some cases, the attackers disrupted support tools or internal systems to make it harder for teams to respond quickly, increasing pressure on the victims to pay or cooperate.
• The attacks didn’t disrupt flight operations but did impact internal systems, such as customer apps or backend services.
• WestJet and Hawaiian Airlines both reported ongoing assessments of the situation.
• The FBI confirmed the group’s involvement and is working with aviation partners to respond.

How Scattered Spider Gained Access to Airline IT Systems

Scattered Spider is known for using social engineering tactics to gain initial access. One of their primary methods involves calling IT help desks while posing as legitimate employees. By using publicly available information—such as employee names, titles, and internal language—they attempt to convince support staff to reset passwords or grant account access. In many cases, persistent and confident impersonation has been enough to bypass weak or inconsistent identity checks.

Once they’re in, attackers use those credentials to move through internal systems, escalate privileges, and search for valuable data. They may also deploy ransomware or steal information for extortion. Because they’re using what appear to be authorized accounts, these attacks often go undetected until damage is done.

This approach reinforces the need for consistent identity verification, employee training, and clear protocols for sensitive access.

Why the Scattered Spider Hacks Matter for Business Cybersecurity

The recent airline cyberattacks are part of a broader trend that businesses can’t afford to ignore. Scattered Spider has used the same playbook across multiple industries: social engineering, impersonation, and exploiting third-party access. These aren’t one-off incidents—they’re part of an ongoing pattern.

• September 2023: Major hotel chains in Las Vegas were targeted.
• June 2024: Insurance provider Aflac was breached, potentially exposing customer data.
• Retail sector: U.S. grocery brands under Ahold Delhaize were also affected.

These events highlight that it’s not just large enterprises at risk. Any organization with an IT support team, customer service function, or third-party vendor relationships can be a target.

Cybersecurity Lessons from the Airline Hacks

What makes these attacks especially dangerous is that they don’t need to break through firewalls—they get in by targeting everyday workflows and overlooked procedures. That’s why real cybersecurity isn’t just about the tools you use; it’s about how your team responds, how access is managed, and how consistently policies are followed. Key lessons for businesses include:

• Cyberattacks often start with everyday interactions—like a phone call to IT or a service ticket.
• Strong network segmentation and business continuity planning can help minimize the impact if a breach occurs.
• Collaboration with law enforcement and cybersecurity partners helps speed up recovery and strengthen defenses industry-wide.

Tips to Stay Protected from Impersonation Attacks

Scattered Spider doesn’t rely on hacking in the traditional sense. Instead, they use deception—calling support desks, pretending to be staff, and working their way in through normal communication channels. It’s not a tech problem; it’s a trust problem.

Simple ways you can stay ahead of the game:

• Educate staff to recognize red flags during support interactions, especially unexpected requests for password changes or account access.
• Standardize your support procedures so that every request is verified the same way, every time.
• Control system access by making sure employees and partners only have the permissions they need to do their jobs.
• Monitor for unusual activity and have a clear, tested plan to respond quickly if something seems off.

Cyber threats aren’t going away—but staying informed and reinforcing simple, repeatable processes can make a big difference. Attacks like these succeed when teams aren’t prepared. With the right awareness and planning, businesses can reduce risk and respond confidently when something doesn’t look right.

DOCUmation works with businesses across Texas to put these protections in place—making sure support channels are secure, consistent, and ready to respond to any threat.

Need a second look at your current setup? Schedule a technology assessment today.
Click here to get started.