The fickle, hacking finger of fate is now pointing squarely at America’s commercial airline industry. Travelers who already dread cramped cabins, endless delays, and broken customer service might soon come to regard today’s misery as the good old days.
No doubt, trolls will scoff and dismiss my cybersecurity alarmism as coming from an internet-enabled Chicken Little. Unfortunately, I’m not the one sounding the alarm. That would be the Federal Bureau of Investigation—and if they’re issuing public cyber threat warnings involving the airline industry, the situation is already dire.
On Friday, the FBI called out Scattered Spider, a prolific and sophisticated hacking collective, as an active threat to the aviation sector. The group reportedly has already sunk its digital appendages into the IT systems of Hawaiian Airlines and Canada’s WestJet. Given that Scattered Spider has a track record of working industry by industry, every major U.S. airline possibly has a digital bullseye painted across its servers—as do their contractors and critical vendors.
Scattered Spider, also known as UNC3944, is believed to be a loosely affiliated group of English-speaking hackers based in the U.S. and U.K. Their specialty? Bypassing multi-factor authentication and other security controls by tricking IT professionals into handing over their login credentials.
I kid you not.
The group has already crippled MGM Resorts and Caesars Entertainment, forcing the latter to reportedly cough up $15 million in ransom. MGM refused—and instead endured a ten-day IT shutdown costing upwards of $100 million. Scattered Spider also hit Aflac, Erie Insurance, and Philadelphia Insurance, stealing personal and medical data.
“Scattered Spider delivers sustained operational disruption, weekslong downtime, steep recovery costs, regulatory penalties, brand damage, and potential existential risk to businesses of all sizes,” cybersecurity firm Halcyon warned in a recent report.
A Digital Mount Everest?
One might expect that targeting the IT networks of America’s airline cartel—United, Delta, American, and Southwest—would be the digital equivalent of scaling Mount Everest. The cartel accounts for 80% of the U.S. commercial aviation market and plays a critical role in both commerce and military logistics. On any given day, U.S. airlines transport 2.9 million passengers and 61,000 tons of cargo across the country and the world.
The cartel is presumably overseen by the best CEOs money can buy, with United’s Scott Kirby collecting $34 million last year, Delta’s Ed Bastian receiving $27 million, American’s Rob Isom hauling in $16 million, and Southwest’s Bob Jordan scrounging up $11 million.
Surely this elite crew of obscenely compensated business minds would have the foresight to ensure their IT networks are as secure and modern as the Rock of Gibraltar.
Think again.
For Scattered Spider’s seasoned hackers, entering the IT networks of one or more cartel members might be more akin to taking candy from a baby. The cartel is as miserly spending on its IT as it is awarding upgrades to its most frequent flyers.
According to TNMT, a Lufthansa-backed research platform, airline IT spending has declined 21% from pre-pandemic levels—from $50 billion in 2019 to an estimated $39 billion by 2024. Even more damning: IT investment now makes up just 4% of airline revenues, down from 5% before COVID, according to TNMT.
National Security Issue
TNMT isn’t alone in warning about the U.S. airline industry’s neglect of its IT networks. The Foundation for Defense of Democracies, a Washington-based think tank focused on national security, released a sobering report in April about the vulnerabilities plaguing the IT infrastructure of America’s commercial airline sector.
Here’s a taste:
The aviation industry relies on a host of computer systems to support operations. For example, airlines use various platforms to manage bookings, fleet logistics, and transactions with third-party vendors. ATC (Air Traffic Control) systems are also critical to ensuring the safe and orderly movement of aircraft. In addition, airports rely on technology for handling baggage, screening passengers, operating security checkpoints, and managing terminals. Together, these systems form a complex ecosystem, where a cyber incident in one area could disrupt operations in others.
Unfortunately, many of these systems are outdated and lack the flexibility to adapt to emerging threats. While airline-specific failures often stem from poor investment decisions—such as neglecting to replace outdated inventory or scheduling systems—the broader concern lies in the systemic risks posed by aging foundational infrastructure such as ATC systems.
Southwest’s IT Fiasco
Southwest passengers have already endured the consequences. In December 2022, a winter storm wreaked so much havoc that Southwest’s ancient crew scheduling system, cobbled together some two decades earlier, imploded and couldn’t track or reassign pilots and flight attendants in real time. The system lacked even basic automation. Crew schedulers had to call employees individually and hope they were available to take the calls.
The result: 16,700 canceled flights, two million stranded passengers, and an estimated $800 million in financial damage. Southwest had spent $8 billion on stock buybacks to boost its share price in the four years prior—but couldn’t find the budget to replace antiquated software that governed its entire workforce.
The Department of Transportation fined Southwest a paltry $140 million, albeit the largest fine ever levied against a U.S. airline.
Think Southwest’s disaster shocked the rest of the industry into action?
Delta’s IT Meltdown
Last July, Delta suffered a complete global IT failure, canceling more than 7,000 flights and stranding 1.3 million passengers. While Delta blamed CrowdStrike, a security vendor whose software update caused systemic airline industry issues, Delta’s recovery was uniquely slow. Delta sued CrowdStrike for damages—and the cybersecurity firm responded with a scathing countersuit, slamming what it claimed was Delta’s slapdash, rinky dink IT system. Microsoft also publicly alleged that Delta’s technology was outdated.
Among the damning allegations in CrowdStrike’s lawsuit: Delta’s systems had thousands of compromised passwords, outdated tech, misconfigured network environments, and an insecure custom script running daily on thousands of machines. CrowdStrike said Delta was the only airline with these vulnerabilities.
The firm also alleged that Delta violated FAA cybersecurity mandates requiring airlines to segment operational and IT systems. The FAA announced an investigation while Delta’s IT debacle was unfolding. But nearly a year later? No penalties. No enforcement. Just crickets.
FAA Safety Oversight?
Trust in the FAA is a dicey proposition. This is the same agency that ignored whistleblowers and waved through Boeing’s now-infamous 737 MAX disaster. The FAA recently moved to allow American Airlines operate its premium-heavy 787 Dreamliners with one fewer flight attendant than previously required, despite safety concerns from the Association of Professional Flight Attendants (APFA).
The APFA, which represents 28,000 inflight crew members at American, warned that reducing staffing was a safety risk because it would result in one flight attendant being responsible for two exits in the event of an emergency evacuation.
Frankly, I’d think twice before flying on a Dreamliner belonging to American Airlines. Two of the airline’s pilots recently flew one from Philadelphia across the Atlantic on a flight to Naples, blissfully unaware their plane was too big for the city’s airport until their descent. The flight was diverted to Rome, some 124 miles away.
Let that sink in.