Cybercriminals have increasingly turned their attention to airlines, drawn by the vast amounts of personal data these companies collect. Among the most sought-after information are passports and government identification, which pose a significant risk for long-term identity theft. According to Incogni, a company specializing in data privacy and removal, leaks involving such sensitive documents can lead to synthetic identity fraud and impersonation scams, causing harm that can extend over many years.
This week, Qantas Airways experienced a data breach attributed to the Scattered LAPSUS$ Hunters, a threat group known for its cyber activities. Although the exposed data included names, email addresses, and Frequent Flyer details, the airline clarified that no credit card information, personal financial details, or passport numbers were compromised. While this incident did not involve the most damaging types of personal data, concerns about consumer risk remain high. As Darius Belejevas, Head of Incogni, pointed out, even when critical data like payment or identification isn’t exposed, personal identifiers alone can facilitate large-scale fraud. Attackers often amalgamate these details with information from previous breaches to create detailed identity profiles.
The breach at Qantas also underscores the vulnerabilities associated with third-party vendors. The incident was linked to social engineering tactics that targeted Salesforce, highlighting how the compromise of a single supplier can jeopardize the security of millions of customer records. This illustrates a harsh reality in the cybersecurity landscape: a breach affecting one entity can have cascading effects across various industries.
Data from Cyble’s threat intelligence database reveals that there have been over 20 reported airline data breaches by threat actors on the dark web this year, marking a 50% increase compared to the same time in 2024. This surge can be partly attributed to heightened targeting of the airline sector by the Scattered LAPSUS$ Hunters and other threat groups. Recently, the CL0P ransomware group claimed to possess data from Envoy Air, a regional carrier for American Airlines. The carrier confirmed the incident but assured that no customer data had been affected, only minor business information and commercial contact details.
In contrast, WestJet faced a more severe fallout from a data breach in June, as confidential passenger travel documents, including passports and government IDs, were exposed. The airline has since offered affected customers two years of complimentary identity theft protection. However, experts from Incogni have warned that compromised identity documents can enable fraud for far longer than the duration of monitoring services.
As airlines continue to be targeted, proactive measures for prevention and response become imperative. Individuals affected by data breaches should consider enrolling in identity theft monitoring, report suspicious activities to national anti-fraud hotlines, and employ strong, unique passwords along with multi-factor authentication on all online accounts. Moreover, removing personal information from data broker sites could help deter scammers from leveraging accessible data for nefarious purposes.
Ron Zayas, CEO of Incogni, emphasized the need for both individuals and organizations to fortify their data protection efforts. He cautioned that sensitive data is not only at risk from cybercriminals but also misused by legitimate organizations for manipulative outcomes. As the cybersecurity landscape evolves, understanding and applying frameworks like the MITRE ATT&CK Matrix is essential for pinpointing the tactics and techniques that may have been employed against various targets. The Qantas incident, for instance, could involve tactics related to initial access and persistence, typical of social engineering strategies.
