The Top 5 Worst Cyberattacks To Ever Hit Airports

Cyberattacks are like boogeymen that can strike anywhere, anytime, but which few people can foresee or understand. At least, that's how they appear from the outside. It's actually well-known amongst cybersecurity circles how vulnerable aviation and air-related sectors are to attack. Aging tech, more advanced hacking methods, numerous points of electronic vulnerability (airport Wi-Fi, air traffic control systems, in-flight entertainment, etc.): All this and more has led to a 600% increase in cyberattacks across the board from 2024 to 2025 alone (via Thales). However, even amidst an overall increase in cyberattacks, certain cases stand out as particularly severe.

Part of the difficulty of combating cyberattacks comes from their protean nature. While physical airport security has clear objectives and targets, like when the TSA confiscates guns and drugs from passengers (or even certain types of reading material, for that matter), cyberattacks can appear in countless inventive forms. In March 2020, a cyberattack targeting Windows login information at San Francisco International Airport (SFO) occurred. An October 2022 attack took down the website for Phoenix Sky Harbor International Airport (PHX). An April 2019 attack on Cleveland Hopkins International Airport (CLE) switched off baggage claim and departure-arrival screens. These are just a few examples.

Some attacks have been much worse than these relatively minor incidents, though. September 2025 attacks on automatic check-in systems across European airports have affected thousands of people. Brussels International Airport (BRU) had to cancel 60 out of 550 flights and check in passengers manually using laptops and iPads. Sometimes it isn't airports, but airlines that are targeted, as was the case with EasyJet, which saw the data of 9 million customers stolen in 2020. Other airport-focused attacks have left thousands of passengers stranded, struck multiple locations at once, and involved hefty ransoms.

Imagine you've passed through airport security and are headed to your gate. You've got your check-in bags at your side, your passports and boarding passes in hand, and ... Whoosh. Your flight vanishes from the departures board. It was A27, let's say, and now it's nowhere to be found. Other people are pointing at the board, talking to each other, and checking their phones. Panicking, you go to a customer service counter, but your flight is still in order. However, all flight information display systems (FIDS) across the airport are displaying the wrong information. Check-in kiosks stopped working, and baggage handling had to switch to manual. Some systems have gone offline entirely. Flight after flight gets delayed as confusion consumes the entire airport.

This is exactly what happened to Kuala Lumpur International Airport (KUL) in Malaysia on March 23, 2025, when a hacker group breached airport systems. They interfered with operations, stole two terabytes worth of data, and demanded a $10 million ransom to stop it all. They remained anonymous for a while, but eventually came forward as hacker consortium Qilin. This group is responsible for 60 confirmed attacks since 2022, including against Western New Mexico University in the U.S. and Hospital Los Madroños in Spain. They're also responsible for a whopping 156 unconfirmed attacks in 2025 alone.

KUL's breach was so massive that Malaysian Prime Minister Anwar Ibrahim stepped in. Even as he refused to cooperate with the hackers and pay their ransom, Malaysia's National Cyber Security Agency (NACSA) contained the hack. They worked to plug security holes, launched an investigation, and implemented other proactive methods. Now, this incident serves as a cautionary tale, highlighting the importance of ensuring that airport IT infrastructure is robust enough to withstand cyberattacks.

Our next entry didn't come with a ransom and dramatic governmental intervention, but it did come with widespread, multi-airport troubles and political worries. Back in 2015, the entirety of Sweden's air traffic control system across multiple airports went offline following a cyberattack. This lasted a full five days from November 4 to 9, when air traffic control found themselves staring at blank screens. Hundreds of flights were canceled, and passengers were left stranded on the ground. This is a far, far worse outcome than a flight delay, even the kind that would make you venture out of the airport to sightsee rather than stick around inside. 

Initially blamed on a solar storm, the true culprit behind the attack was the Russian hacker outfit APT28 (Advanced Persistent Threat), also known as "Fancy Bear," a group that has made headlines many times since then and is linked to Russian central intelligence. As stated, there was no ransom. There was also no obvious motive beyond flexing cyber muscle and testing the hackers' ability to penetrate cyber defenses. The Swedish government remained silent about the entire matter and raised the alarm with NATO and its fellow Scandinavian countries, Norway and Denmark. 

In 2018, Fancy Bear was back to hit the Swedish Sports Confederation. In 2020, they attacked the Norwegian Parliament. In 2024, they leveraged a vulnerability in Microsoft Outlook to target both the German and Czech governments. Fancy Bear has also targeted the Polish government, the Canadian energy company Suncor Energy, and an "unnamed critical energy infrastructure facility" in Ukraine (per The Hacker News), as well as numerous additional global targets, all part of ongoing, disruptive Russian cyber activities. Such incidents paint Sweden's 2015 air traffic control attack as a precursor of things to come.

Our next cyberattack wasn't a single, concerted assault, but rather a collection of attacks that could be considered one unified cyberattack effort. In 2019, Ben Gurion International Airport (TLV) in Tel Aviv, Israel, revealed that it got hit with 3 million cyberattacks per day. It's not clear how long this had been happening, although it was TLV, specifically, that was being targeted. Most of these attacks — but not all — were conducted by bots, like an endless stream of arrows shot at a fortress. It's also still unclear who was behind the attacks, which airport operations were affected, and what effects passengers suffered, if any.

In response, Israel's Airport Authority went all-in on defense to create its own, in-house security operation center (SOC) at TLV. This kind of on-site cyberdefense team was the first of its kind (that we know of) and was built on the Airport Authority's entire cybersecurity division, established four years earlier in 2015. Ben Gurion's SOC stands guard nonstop, every second of every day.

And just to illustrate that cyberattacks don't stop at airports, but can involve airports, two El Al flights inbound to TLV in 2024 faced a potential cyber-hijacking. Yes, this means that someone hacked flights in the sky, en route, as they passed over Middle Eastern airspace on their way to Israel from Thailand. As InfoSecurity Magazine explains, the hack materialized as a change in flight plan on the planes' instruments. Wisely, the pilots figured out the ruse and ignored it. In a statement on the Jerusalem Post, El Al stated that the attacks were not directed at their planes, specifically, but at all plane communications in the area.

Usually, cyberattacks on airlines target customer data and don't affect airport operations. We already mentioned EasyJet's data leak that affected 9 million customers in 2020. Cathay Pacific faced a similar 2018 data breach, in which 9.4 million customers' information was stolen. That same year, British Airways and Air Canada had 400,000 and 20,000 customers' data stolen, respectively. However, in May 2022, the Indian airline SpiceJet was hit with a cyberattack that didn't compromise data, but instead disrupted passenger flights at multiple airports all over the country.

In what amounted to an extreme debacle in the eyes of the public, SpiceJet passengers at various airports across India started taking to Twitter to complain about being stuck at gates, stuck on the tarmac for almost four hours with no word about what was happening, staff disappearing from gates for hours with no explanation, and more. Eventually, SpiceJet stated that the airline had successfully fended off a ransomware attack that had cascaded through its systems, causing slowdowns and delays at multiple airports. 

An insightful Futurism report about this SpiceJet incident explains the nature of ransomware attacks (which eventually result in data breaches) — more generally, though, it passes the buck by pointing out that many more ransomware attacks occur in North America compared to other places in the world and by advising customers on personal safety measures. The 2022 attack on SpiceJet is a perfect example of the worst possible outcome for the most minimal amount of actual damage, and demonstrates how even failed cyberattacks can cause widespread mayhem within airports.

While there are plenty of other cyberattacks we could talk about, one large 2015 attack made global headlines for its size and for what might have been, at that time, a less common occurrence. Like the SpiceJet attack, the 2015 cyberattack in question targeted an airline, the Polish airline LOT. However, the attack remained confined to LOT flights at Poland's most major airport, Warsaw Chopin Airport. Ten flights got cancelled, 15 were delayed, and 1,400 passengers were left with nowhere to go. It only took five hours to cause all this upheaval, after which the attack was resolved. 

This cyberattack was one of the most standard hacker go-tos: a DDoS (distributed denial-of-service) attack. DDoS attacks are a tried-and-true, if brute and crude, method of disrupting services by flooding servers with digital traffic to interrupt normal operations — kind of like how one might feel trying to read with a jabbering toddler nearby. In the case of the 2015 Warsaw Chopin cyberattack, this meant that computer systems couldn't handle data properly, and as a result, flights got delayed. There was no apparent motive behind the attack, and the attacker remains unknown to this day. 

However, this attack proved crucial in awakening businesses and governments to the ever-increasing threat of cyberattacks. "This story highlights the fact that, as more and more aspects of our lives become cyber-dependent, we offer a greater attack surface to cybercriminals," security researcher David Emm told CNBC at the time. As this article illustrates, right down to recent 2025 attacks across European airports, such words continue to prove truer and truer by the day.