Aviation Under Siege: The Hawaiian Airlines Cybersecurity Event

Aviation Under Siege: The Hawaiian Airlines Cybersecurity Event
Photo by Artturi Jalli / Unsplash

Incident Overview

On June 26, 2025, Hawaiian Airlines confirmed that “some of our IT systems” were disrupted by a cybersecurity event, language often signaling a ransomware intrusion. The breach did not affect flight safety or schedules, but prompted FAA engagement and highlighted that even well-resourced carriers remain vulnerable . Within 24 hours, Google’s Mandiant and Palo Alto Networks warned that the “Scattered Spider” hacking group—also known as UNC3944—had begun targeting aviation and transportation, marking a shift toward highly organized, cross-sector campaigns. Previously linked to disruptions at MGM Resorts and British retailers, Scattered Spider’s social-engineering tactics and credential-harvesting tools pose acute risks to airlines’ complex IT ecosystems.

Implications for Internal Audit

  • Incident Response Effectiveness: Audit must verify that detection tools, escalation procedures, and crisis-management protocols are not only documented but routinely stress-tested under ransomware scenarios.
  • Third-Party Cyber Risk: Given the group’s focus on service providers, auditors should perform deep-dive assessments of critical vendors, examining contractual cybersecurity clauses, control attestations, and penetration-test results.
  • Business Continuity and Data Integrity: Disruptions highlight the need for robust backup strategies—verify recovery-time objectives, conduct regular restoration drills, and confirm data-integrity checks to safeguard against incomplete recoveries.

Actionable Recommendations

  1. Ransomware Tabletop Exercises: Orchestrate cross-functional drills simulating a ransomware breach, involving IT, legal, communications, and audit to identify coordination gaps and streamline decision-making.
  2. Vendor Control Scorecards: Develop dynamic scorecards for high-risk suppliers that include cybersecurity KPIs—patch cadence, MFA implementation, and incident-response readiness—and schedule periodic assurance reviews.
  3. Continuous Monitoring Deployment: Implement real-time analytics to detect anomalous user-behavior patterns, configuration deviations, and suspicious network traffic, feeding alerts directly to audit dashboards.

Primary Source: Hawaiian Airlines hit by cyber attack (Reuters)

Stay connected: follow us on LinkedIn and explore more at www.CherryHillAdvisory.com.

Read more