(NEXSTAR) – A cybercrime organization known as “Scattered Spider” has been targeting airlines based in North America in recent weeks, attempting to gain access to sensitive data for purposes of extortion, the FBI confirmed in an alert issued Friday.

“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the alert reads, in part.

How have airlines or customers been affected?

A number of major airlines have confirmed security breaches in recent weeks, including Canada’s WestJet, which reported a “cybersecurity incident” in mid-June. The incident affected internal systems, but the carrier also warned that some customers may find themselves “restricted” from the app, or noticing “interruptions or errors” on the app or website. It was unclear if the customer-facing issues were the result of the cyberattack or the carrier’s attempts to fix or mitigate the issue.

A representative for WestJet was not immediately available for comment.

Within weeks, Hawaiian Airlines also reported a “cybersecurity event” affecting its IT systems, Nexstar’s KHON reported. The airline did not say whether any other data was compromised. A representative for the airline did not respond immediately when contacted for further information.

Neither WestJet nor Hawaiian Airlines identified Scattered Spider as the group believed to be behind the attacks.

Last week, Nexstar’s WHTM also reported that Delta Air lines had locked some of its customers’ accounts over security concerns. A passenger, who is also a current reporter at the station, learned of the security measures after contacting Delta to report that he was unable to login to his online account or change his password.

WHTM reported that a Delta customer service representative said the issues stemmed from a potential security breach involving a large number of customers, although a Delta spokesperson later said the company simply reset the credentials to preemptively “maintain security,” and that its actions were not the result of a security breach.

“As we do occasionally, out of an abundance of caution, we reset credentials for accounts and ask that customers verify them with us to maintain security of the accounts,” a spokesperson for Delta said, while confirming that customers’ SkyMiles accounts “are secure.

“We apologize for any inconvenience this might cause.”

What is Scattered Spider?

While none of the above airlines named Scattered Spider as the culprit behind their woes, the FBI has warned of the hacker group “expanding” its efforts to target the airline industry specifically.

“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” last week’s FBI alert reads. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.”

These tactics appear to mirror other cybersecurity breaches blamed on Scattered Spider in the past, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

One of the main tactics the group relies on — social engineering — means that its members will use their social skills (while posing as an IT employee, for instance) to convince unwitting employees to grant access to otherwise inaccessible data.

Authorities say the group used these tactics, and others, when they gained access to multiple casinos’ internal computer systems, where they installed ransomware and demanded money in exchange for reverting back control.

Some hackers believed to be associated with the group have been criminally charged, including four young men linked to the casino cyberattacks, Nexstar’s KLAS reported in 2024.

What is being done to mitigate the attacks?

The airlines affected by recent security breaches say they’re monitoring and assessing the impacts. WestJet and Hawaiian are also in contact with cybersecurity experts, according to their websites.

CISA and the FBI have also recommended that software developers take a number of actions to make their products less vulnerable to ransomware attacks, to help prevent some attack attempts at the source.

“The FBI and CISA encourage critical infrastructure organizations to implement the recommendations …  to reduce the likelihood and impact of a cyberattack by Scattered Spider actors,” reads a detailed CISA profile of the organization published in 2023.