Airlines are a popular target for hackers in part because of the amount of personal data they collect – and no personal data is more coveted by cybercriminals than passports and government IDs.
Passport and ID leaks pose a “severe, long-term identity theft risk,” according to personal data removal and privacy company Incogni. “Unlike credit cards, travel documents are difficult to replace and can be exploited for years in synthetic identity fraud, fake travel documents, and impersonation scams.”
For that reason alone, this week’s leak of customer data from Qantas Airways by the Scattered LAPSUS$ Hunters threat group could have been worse. The leaked data included names, email addresses and Frequent Flyer details, a small amount of more personal data like addresses, dates of birth and phone numbers, but “no credit card details, personal financial information or passport details were impacted,” according to Qantas.
While Qantas avoided the most damaging kind of leak, there’s still risk for consumers, Incogni notes.
“Even when payment or passport data isn’t exposed, personal identifiers like names, dates of birth, and loyalty program details can be enough to drive large-scale fraud,” Darius Belejevas, Head of Incogni, told The Cyber Express. “Attackers often combine these records with information from other breaches to build detailed identity profiles.”
The incident also highlights the growing risk of third-party vendors, as the incident was linked to Salesforce social engineering and third-party breaches.
“The Qantas case shows how one compromised supplier can ripple across industries, exposing millions of customer records in a single incident,” Belejevas added.
Airline Data Breaches Growing
According to Cyble’s threat intelligence database, there have been more than 20 airline data breaches claimed by threat actors on the dark web thus far in 2025, up roughly 50% percent from the same period of 2024. Part of that increase is due to a focus on the sector by Scattered Spider and the larger Scattered LAPSUS$ Hunters alliance, but other threat groups seem to be targeting the airline sector too.
The most recent incident occurred this week, when the CL0P ransomware group claimed to possess data from American Airlines regional carrier Envoy Air.
Envoy Air confirmed the incident in a statement to The Cyber Express – but said no customer data was involved.
“We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” Envoy Air told The Cyber Express. “Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.”
WestJet, which suffered a data breach in June of this year, wasn’t as lucky, as the breach exposed some passenger travel documents like passports and other government-issued identification information. WestJet responded by offering affected customers 24 months of complimentary identity theft protection and monitoring services, but Incogni warns that compromised identity documents “can fuel fraud for much longer” than two years.
Protecting Against Airline Data Breaches
Incogni recommends that people impacted by airline data breaches – and travelers in general – take proactive steps to protect themselves, including:
- Enrolling in identity theft monitoring if offered.
- Reporting suspicious calls and phishing attempts to national anti-fraud hotlines such as the Canadian Anti-Fraud Centre or the FTC in the U.S.
- Using strong, unique passwords and multi-factor authentication on all online accounts.
- Removing personal information from data broker and people-search sites to cut off “one of the easiest shortcuts for scammers.”
“Individuals and organizations need to better protect, and whenever possible by any means necessary not share, sensitive data in an era where it is now being used not just being stolen by cybercriminals and nation-states but also by legitimate organizations that are using it for their own purposes to manipulate specific outcomes,” Ron Zayas, CEO of Incogni, said in a statement.
