Top Cyber Threats in the Aviation Sector

What are Industry Developments in the Aviation Sector?

The global aviation network connects people, economies, supply chains, and even supports national readiness in times of emergency. Operating tens of millions of flights in the United States every year alone, it facilitates the movement of passengers and cargo throughout the country and around the world. According to The Economic Times, global air passenger traffic is projected to reach 9.8 billion in 2025, an increase of nearly 4% compared to the year before.[1] Growth is expected to continue through the next five years to where global passenger traffic will exceed 12 billion in 2030, fueled by growth in international markets.[2]

Global air freight, or “world air cargo,” adds to these numbers, demonstrating the magnitude of the supply chain network. In 2025 according to the International Air Transport Association (IATA), it amounted to approximately 22.7 billion ton-kilometers.[3] This is like moving 23 million tons from Chicago to New York 23 million times. While this makes up a small percentage of global movement by weight, it is the most valuable and time-sensitive section of trade goods.

Naturally to support this massive network, the aviation industry is integrating automation, IoT, and AI-enabled systems. As they do so, the industry becomes more reliant upon the digital infrastructure to deliver its services, including managing flight operations, baggage handling, air traffic control, and ticketing operations. In most cases, for airports, this includes physical security as well. According to the UK Department for Transport’s Rail Cyber Security Guidance, modern transportation systems, including aviation, rely heavily on digital networks, making them susceptible to cyber threats that could cause delays, operational failures, or even catastrophic incidents.

Cybercriminals are aware of the importance of the continuous operation of the global aviation network, which makes it a valuable target. They have also observed the integration of digital technologies and third-party service providers, and are targeting them with ransomware attacks, social engineering, supply chain attacks, and even GPS jamming.

Unfortunately, cyber incidents are already impacting airlines, airports, and aviation service providers, making the need for robust cybersecurity measures never greater. Recent FBI warnings and real sector incidents provide all the supporting data making the case.[4] Here we will outline the top cybersecurity threats facing the aviation sector, and the steps leaders can take to mitigate risk while safeguarding critical infrastructure.

Fictional Scenario: A Coordinated Aviation Cyberattack

In March 2026, a service provider supporting multiple major airlines became the first victim in a phishing campaign targeting the aviation sector. It was a booking software solution provider whose IT administrator’s credential were compromised. The attacked combined social engineering with MFA fatigue to convince a service desk representative to change the password on an IT administrator’s account. Once this was done, the attackers obtained access to identity administration, Microsoft 365 accounts, cloud administration, and OT systems. From there attackers position themselves as representatives of the compromised organization and proceed to penetrate airlines and airports directly using the same tactics, techniques, and procedures. Once enough foothold was gained, they began to turn the screws, taking down services, and impacting the global network more over time.

Flight operations, baggage handling, ticketing services all began failing, forcing airports to go to manual processes where possible, and cancel flights when they weren’t. As time goes on and conditions worsen, the cybercriminals demand a ransom from the affected airlines, airports and the service provider. Pressure mounts as financial losses increase, and passengers and cargo are delayed.

While this scenario is fiction, recent real-world incidents closely reflect the narrative. Sometimes the actual attack doesn’t go beyond one service provider, but the impact is felt across the industry due to the nature of shared services. Leaders must understand these risks and work with stakeholders to assess their exposure and implement the needed safeguards to prevent successful attacks and reduce the impact if and when they are realized.

What are the Top Cyber Threats in the Aviation Sector?

Ransomware Targeting Airlines and Airports

Qantas (2025) – Soon after the FBI put out notice that airlines were being targeted by the group called “Scattered Spider”, Qantas reported unusual activity on a platform used by its call center to store the data of six million people.[5] The platform was compromised, and customer data was exposed.[6]

SpiceJet Airline (2022) – the Indian airline said an “attempted ransomware attack” against its IT infrastructure caused flights to be delayed or canceled, and left passengers stranded.[7]

Impact: Flight delays, stranded passengers, loss of revenue, CEO bonus impacted.
Methods: Lateral movement through compromised infrastructure, unpatched vulnerability, and phishing.

Aviation OT System Vulnerabilities

Vietnamese Airports Hacked (2016) – flight information display screens and public announcement systems were compromised and used “to show messages criticizing Vietnam’s claims of territory in the South China Sea”.[8]

Swissport Zurich Attack (2022) – IT systems were disrupted due to a ransomware attack. Speculation at the time suggests an OT entry. Flights were delayed at multiple airports.[9]

Impact: Delays of over 100 flights and passenger confusion. The breach of OT systems such as flight displays served as a “heads up” to the industry regarding OT security.
Methods: SCADA vulnerabilities, insecure IoT aviation devices.

Supply Chain and Service Provider Attacks

Collins Aerospace, European Airports (2025) – a ransomware attack against RTX subsidiary Collins Aerospace’s MUSE system knocked check-in systems offline and caused widespread travel disruptions.[10]

Air France and KLM (2025) – attackers breached a customer service platform and gained access to customer data. The airlines reported, “IT and security teams, along with the relevant external party, took immediate action to stop the unauthorized access.”[11]

Impact: Loss and exposure of customer data, passenger delays, cargo delays and rerouting, economic loss.
Methods: Social engineering, vishing, phishing, possibly linked to the Salesforce/Salesloft Drift compromise.

Insider Threats and Credential Theft

Qantas Frequent Flyer Theft (2024) – Almost 1,000 Qantas customers’ frequent flyer mile or points were stolen due to unauthorized access by third-party contractors.[12] The attackers leveraged their insider access to change bookings and redirect points. Since the fraud was perpetrated by third-party employees this incident could also be listed in the Service Provider Attacks section above.

Virgin American/Alaska Air (2017) – Unauthorized access using stolen network credentials exposed employee and contractor data. This was a case that raised awareness around the importance of identity and access controls, though the reporting still assumes the attacker didn’t have control over MFA and that it was broadly deployed.[13]

Impact: Customer financial loss, and loss of trust. Demonstrated weaknesses in industry defensive techniques.
Methods: Credential theft and likely inadequate MFA coverage, exploit ineffective application integration controls.

Aviation Data Breaches and Passenger Information Theft

WestJet (2025) – The airline identified “suspicious activity” on its systems. Upon investigation they determined that they were the action of a sophisticated, criminal third party, who gained unauthorized access to their system.[14]

Hawaiian Airlines (Alaska Air Group) (2025) – The company announced it was experiencing IT issues the result of a “cybersecurity event”. The extent of the incident was clear. While it was reported its network systems were “taken out”, the company stated it had taken steps to safeguard operations, and that flights were operating normally.[15] The incident was filed with the SEC.

Qantas (2025) – Reference above section “Ransomware Targeting Airlines and Airports”.

Air France and KLM (2025) – Reference above section “Supply Chain and Service Provider Attacks”.

Impact: Millions of customers’ personal data released on the dark web. Network outages during events. Loss of customer trust.
Methods: Social engineering, vishing, phishing, MFA bypass, third-party services compromise.

GPS and Communication Jamming/Spoofing

Finnish Airports GPS Jamming (2024) – Finnair suspended flights to eastern Estonia because of GPS disturbances in the area blamed on Russia. Airports contend with GPS jamming due to its relative ease and the low cost of equipment.[16]
Ryanair Flight Diversion Due to GPS Interference (2025) – A Ryanair flight from London had to divert to Warsaw because of GPS signal interference near NATO’s boarder with Russia. The plane’s navigation systems were disrupted, which prompted the diversion.[17]

Impact: Navigation failures, flight diversions, potential collisions and loss of life.
Methods: Radio frequency (RF) jamming (broad/narrowband noise) that denies GNSS (GPS+Galileo+GLONASS+BeiDou); GNSS/GPS spoofing (replay or progressive/seamless spoofing) injecting false position and/or time; target VHF/ADS-BCPDLC interference or spoofing.[18]

(Source: FAA – GPS/GNSS Jamming/Spoofing)

Regulatory and Industry Response

Over the years the industry has responded by creating and adopting cybersecurity frameworks and regulations to enable and enforce the adoption of programmatic security measures. ISO 27001, NIST Cybersecurity Framework (CSF), ICAO Aviation Cybersecurity Strategy, DO0326A/ED-202A, and EASE/FAA Cybersecurity Directives represent a robust collection of controls that can be used to mitigate risk in the aviation sector.

ISO 27001: An internationally recognized standard providing companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.[19]
NIST Cybersecurity Framework (CSF): The NIST Cybersecurity Framework (CSF) 2.0 guides industry, government agencies, and other organizations to manage cybersecurity risks.[20]
ICAO Aviation Cybersecurity Strategy: As the name suggests this is a cybersecurity strategy developed by the International Civil Aviation Organization that provides guidance on security aviation system against cyber threats.[21]
DO-326A and ED-202A: Originally published in 2010, the guidance of this document is intended to augment current guidance for aircraft certification to handle the information security threat to aircraft safety. DO-326A was published in 2014.[22] Compliance is required for companies involved in the design, production, and maintenance of civil aviation aircraft and related components to ensure airworthiness and cybersecurity.
FAA and EASA Cybersecurity Directives: These joint directives mandating risk assessments, incident reporting, and enhanced security measures demonstrate the internation cooperation in the selection of standards and implementing funding penalties when they are not adopted.[23]

Zero Trust and OT Segmentation

OT segmentation and Zero Trust adoption are critical to meet the requirements that have been given as directives by the regulatory bodies.

Zero Trust is an architecture and a philosophy in which perimeter-based security models are no longer sufficient. Per NIST Special Publication 800-207, the tenets of zero trust include:
- All data sources and computing services are considered resources.

- All communication is secured regardless of network location.

- Access to individual enterprise resources is granted on a per-session basis.

- Access to resources is determined by dynamic policy, including the observable state of client identity, application service, and the requesting asset, and may include other behavioral attributes.

- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

- The enterprise collects as much information as possible about the current state of assets, network infrastructure communications and uses it to improve its security posture.[24]

OT Segmentation: aligned with Zero Trust, OT segmentation can limit the spread of malware throughout the network id compromised. This can be the difference between continued safe operations without impact to customer data and a very bad couple of days or weeks.

Collaboration and Threat Intelligence

The aviation sector is improving coordination, collaboration and the sharing of intelligence through:

TSA Cybersecurity Directives: All TSA-regulated entities must develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, including those described in a Zero Trust implementation.[25]
Industry-wide Threat Intelligence: Information Sharing and Analysis Centers (ISAC) have been established, and aviation operators are leveraging sector specific information to defend against threats.

Through the use of global standards, strategies following programmatic frameworks, and the sharing of threat information, teams can mitigate the risks to operations from cyber attackers and provide for the resilience the industry needs.

Conclusion and Recommendations

As the airline sector continues on its digital transformation journey to support the growing demand for services, it must stay in front of the risks present in cyber and third-party integrations. As with other industries that rely extensively on external services, we are seeing those services being used as a launch point for attacks, the focal point in multi-organization attacks, and/or the point of exfiltration itself. These recent events highlight the importance of adopting a zero trust cyber security approach including continuous verification and validation of operating controls.

Recommended Guidance for Airlines, Airports, and Vendors

IT Governance and Risk Management: Implement IT governance to enable the incorporation of cybersecurity and IT-related risk into the organization’s broader enterprise risk management strategy. Leverage integrated cyber risk governance aligned with DoCRA principles and practices to validate and verify the operation of controls cited in frameworks and regulations.

Assess Existing Cybersecurity Posture: Begin conducting regular security assessments which identify the existence and health of controls in place, and gaps where additional controls are required. Use this opportunity to implement continuous control monitoring and centralized reporting, and a road map to address identified control weaknesses.

Enhance Ransomware Defenses: Ensure EDR (Endpoint Detection and Response) is deployed, and the SOC has been tested. Simulate attack situations testing the teams’ responses. Step up defenses with browser security solutions. Ensure patching and vulnerability management processes are functioning. Continuously verify and report the operation of these processes through standard operating metrics. See the CISA ransomware guide for more information.[26]

Accept Zero Trust and OT Segmentation: Start with segmenting OT and IT, and implement microsegmentation in each zone. This allows granular control for network flow, and prevents lateral movement if attackers gain a foothold in the network or on a device. Deploy Identity Governance and Administration, follow the principles of least privilege, implement MFA, and account for Non-Human Identities.

Employee Awareness and Training: This cannot be stressed enough. Social engineering is easiest method of the attack with the lowest cost, and the greatest success. Continue phishing exercises but provide the help desk and anyone with administrative responsibilities to say “no, I need to verify your request.” If something isn’t’ right.

Implement Regulatory and Industry Standards: Verify your controls align with ISO 27001, NIST CSF 2.0, ICAO Aviation Cybersecurity Strategy, DO-326A and ED-202A. Continuously monitor and report on the relevant operational metrics to support evidence of the controls in place, and develop roadmaps to address gaps over time. Leverage the Transportation Systems Sector Cybersecurity Framework Implementation Guide.[27]

Leverage Shared Threat Intelligence: Engage with Information Sharing and Analysis Centers (ISACs) and sector-wide cybersecurity groups to keep in front of evolving threats.

Mitigating GPS Jamming and Spoofing Risks: Three airports in Eastern Finland have reinstated radio-based Distance Measuring Equipment (DME), which is an alternative solution during GPS outages, ensuring continued safe operations despite external interferences.[28] Explore alternative navigation solutions such as this to provide resilience against jamming and spoofing.

Next Steps

This guidance is meant to allow each organization to understand their current security posture, the gaps present in their environment when measured against an accepted standard and provide for a programmatic means to resolve them prioritized by risk. The recent events discussed, risks realized, and people impacted, show that we are all vulnerable, but with a risk-based approach and investing in a cybersecurity strategy that includes integrated cyber risk governance, organizations can protect their infrastructure, employee and customer information, provide safe operations for a national and global network.

For a comprehensive risk-based cybersecurity assessment, contact Halock Security Labs to evaluate your organization’s current security posture against the top threats facing the aviation sector.

ABOUT HALOCK SECURITY LABS

HALOCK is a risk management and information security consulting firm providing cybersecurity, regulatory, strategic, and litigation services. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, using due care and reasonable person principles. As the principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers unique insight to help organizations define their acceptable level of risk and establish reasonable security.

Review Your Security and Risk Profile