On June 26, Hawaiian Airlines reported that it had suffered a “cybersecurity event,” or as everyone else would call it, a cyberattack, per USA Today. Fortunately for passengers no flights were delayed or canceled, and future reservations could still be made. The FAA stated that “There has been no impact on safety, and the airline continues to operate safely.”
So that’s all good. Less good is that Hawaiian hasn’t mentioned what actually did occur; it hasn’t said that passenger data was compromised, but Hawaiian hasn’t said that it wasn’t, either. The Wall Street Journal mentions that airlines in general are juicy targets, since they have not just consumer but also corporate and government information accessible from locations (like airports) around the world with varying levels of security.
In fact, cyberattacks against commercial aviation are on the rise generally. Just this month, WestJet was also hit, enough to cause disruptions to ticketing. Ironically, this was in Canada at the same time as the G7 summit, where one of the agenda items was… cybersecurity. In December, Japan Airlines got whacked by a DDoS attack which caused flight delays and disrupted luggage services. And per Airways Magazine, airlines aren’t even the most common target: 65% of aviation cyberattacks go at the actual airports themselves. The Seattle-Tacoma International Airport (SEA) was hit just this past August.
Greater threats, less protection
Cyberthreats are on the rise generally. NBC News reports that the cyber gang Scattered Spider has shifted their focus towards the aviation industry lately; these are the guys who hit a bunch of Las Vegas casinos and British department stores a few years back. Meanwhile, the United States just airstruck Iran, who may well be looking for vectors to retaliate.
But the Trump administration has cut funding to the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency tasked with defending American institutions from such attacks and first signed into existence by… Donald Trump, the last time around. The administration appears to be tapping the FBI to pick up CISA’s slack, but the Bureau has also been told to focus more on immigration than, you know, hostile foreign powers. Meanwhile, last year the private cybersecurity program CrowdStrike shut down half the world. Not exactly great defenses there.
And it’s not just the U.S. that’s being targeted. In 2024, Germany’s air traffic control system was hit; in February, it was the Arab Civil Aviation Organization (ACAO), who actually had sensitive information compromised. Generally, if you were looking to cause cyberhavoc, this is a pretty good (read: weak) security environment to do it in, and aviation has lots of valuable ones and zeroes to steal, or disrupt, or in the worst case, try to cause accidents with.
