- Hawaiian Airlines files 8-K form with the SEC
- It claims to have observed an attack, but it didn’t affect flights or their safety
- Security researchers believe the attack was done by Scattered Spider
Hawaiian Airlines has said it recently suffered a cyberattack, but stressed the incident didn’t affect any flights.
In a new 8-K form filed with the US Securities and Exchange Commission (SEC), the airline said it identified a “security incident affecting certain information technology systems”, on June 23, 2025.
The company responded by “taking steps to safeguard the operations and systems”, bringing in external third-party cybersecurity experts to investigate the attack, and notifying relevant authorities about the incident.
Scattered Spider’s fingerprints
Other details are unknown at the time, but security experts and the media are speculating this might have been the work of Scattered Spider, a hacking collective that’s been targeting US-based retailers lately.
In fact, Charles Carmakal, the CTO of Google’s Mandiant Consulting security research arm, told The Register this attack “bears the hallmarks” of that particular threat actor.
“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider. We are still working on attribution and analysis, but given the habit of this actor to focus on a single sector we suggest that the industry take steps immediately to harden systems,” said Carmakal.
“The actor’s core tactics, techniques, and procedures have remained consistent. This means that organizations can take proactive steps like training their help desk staff to enforce robust identity verification processes and deploying phishing-resistant MFA to defend against these intrusions. Additional advice can be found in our previous hardening guide.”
Hawaiian adds its flights are operating safely and as per schedule.
“The company has not yet determined whether the incident is reasonably likely to materially impact the company’s financial condition or results of operations,” the filing concluded.
Since the company did not take down its IT network, it’s safe to assume that this wasn’t a ransomware attack, but these details could be known in the coming weeks.
Leave a comment