Over the weekend, the FBI, Google and Palo Alto Networks flagged a surge in cyber attacks on airlines and travel firms. These alerts match the operating pattern of the hacker group known as Scattered Spider. Recent signs suggest Australia may now be in their sights.
Qantas confirmed a breach of 6 million customer records in a serious cyber attack. While the airline has not confirmed Scattered Spider’s involvement, experts point to tactics typical of the group.
Scattered Spider – Who Are They?
Scattered Spider, also called UNC3944, is a network of cybercriminal affiliates. They’re known by multiple aliases like Octo Tempest, Star Fraud and Muddled Libra. The group mainly consists of young, native English speakers from the US and UK—some as young as 16.
Since 2022, they’ve carried out over 100 attacks across telecoms, finance, retail, gaming and more. They often pick high‑pressure customer-facing sectors, going after the “big fish.”
In 2023, they hit MGM Resorts and Caesars Entertainment, disrupting casino operations. Their strike on Marks & Spencer in the UK caused online outages that cost around £300 million in profit.
Why CEOs are still ignoring cybersecurity after continuous breaches.
Tactics and Techniques
Scattered Spider leans heavily on social engineering to bypass security systems. They typically impersonate company IT staff to dupe helpdesk workers into granting access—via phishing emails, texts or direct calls. These tactics are sharp and manipulative, as experts at Griffith and La Trobe Universities warn.
Another trick: MFA fatigue attacks. Here, attackers flood a user’s device with authentication requests. Exhausted or fooled, people sometimes approve them—opening doors to sensitive systems or data.
These methods are a classic test case for cybersecurity testing in real-world setups. Human vulnerabilities remain their weakest link.
What Qantas Reports
Few days ago, Qantas detected unusual access on a third-party contact‑centre platform. The breach included 6 million customer service records. The airline said stolen data likely contains names, emails, phone numbers, birth dates and frequent flyer numbers. Crucially, no passport, credit card or login credentials were exposed.
They also assured customers that frequent flyer accounts, passwords and PINs were untouched.
This incident came after the FBI warned that Scattered Spider is now targeting the airline sector—including vendors and contractors. Hawaiian Airlines (Alaska Air Group) and WestJet in Canada also reported cyber incidents recently.
Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
Risks to Affected Customers
Past breaches—like Optus and Medibank—have shown how attackers seize on exposed data to demand ransom or fuel fraud. For Qantas data, stolen details could be bundled with other leaks. This enables identity theft, SIM‑swap scams or false password resets.
SIM swaps are a real threat. With a few personal details—like date of birth and address—fraudsters can impersonate you and hijack mobile access. La Trobe’s Daswin De Silva warned that attackers often strike again with phishing or password‑reset attempts once they have initial data. The Qantas disclosure delay gave crooks over 48 hours to launch such secondary attacks.
Cybernetic GI cyber security team urges customers to monitor their accounts, including frequent flyer statements, and not to reuse passwords anywhere. Educating staff and running cybersecurity testing regularly remains key.
Understand how SCADA security protects critical infrastructure from cyber threats.
How to Fight Back
Enterprises need more than strong tech. They need a solid incident response strategy—especially a skilled cyber incident response team ready to act when threats crop up.
Here’s what an effective cyber incident response team can do –
- Contain and analyse the breach fast.
- Hunt for intrusion signs and trace how attackers got in.
- Inform authorities and customers promptly.
- Patch vulnerabilities and harden defences against future via cybersecurity testing.
- Review and learn, updating training and tools after the event.
Another role of cybersecurity testing is to simulate social engineering and MFA fatigue. These tests help staff learn to spot manipulation and resist pressure tactics.\
What Organisations Should Do
Apart from tightening cyber security, organisations must also focus on educating employees, building a cyber response team and working with a cyber security expert.
-
Tighten third‑party oversight
Evaluate the security stance of all vendors, especially those with access to your systems. Regular cybersecurity testing of third-party platforms helps uncover hidden risks.
-
Run social engineering drills
Simulated phishing and voice‑spoof exercises help employees spot tricks before real damage happens.
-
Stress-test MFA
Check that MFA systems resist abuse. Teach teams to flag multiple prompts as suspicious.
-
Build a robust cyber incident response plan
Your cyber incident response team should train through tabletop exercises. They need installed tools, authority to isolate affected systems, and clear communication protocols.
-
Keep customers informed
Fast, factual communication limits confusion and fraud. Regulators should also be informed quickly.
Final Thoughts
This Qantas breach underscores how groups like Scattered Spider exploit human weaknesses, not just technical flaws. Strong software counts—but so do vigilant people and well-prepared teams.
Organisations in Australia and beyond should –
- Invest in ongoing cybersecurity testing.
- Build a capable cyber incident response team.
- Keep employees sharp against social engineering and MFA tricks.
If you’re with Qantas or another company handling sensitive data, use this event as a call to action. Prepare, test and respond—so next time, you’re ready.
Get in touch with us for any cyber security support. Cybernetic GI is here to help.