Cyber incident disrupts Hawaiian Airlines, but flights are unaffected

And now for something completely different, check out a piece I wrote for TechTarget on the top ten metrics security leaders should use to track their programs' performance and demonstrate the value of their security efforts to the board.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems.

The airline said the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack.

Hawaiian Airlines also hired external cybersecurity experts to asses the attack's impact and help restore affected systems.

"Hawaiian Airlines is addressing a cybersecurity event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled," the airline said.

​"There has been no impact on safety, and the airline continues to operate safely. We are monitoring the situation," the Federal Aviation Administration said.

This incident follows a similar attack that affected WestJet, Canada's second-largest airline, on June 13, which prevented customers from accessing the airline's mobile app and website. (Sergiu Gatlan / Bleeping Computer)

Related: Hawaiian Airlines, KITV, Reuters, Hawaii News Now, Tech Monitor, Wall Street Journal, Star Advertiser, KHON2, Beat of Hawaii, Big Island Now, Spectrum News, USA Today, BizJournals, NBC Right Now, Travel and Tour World

American grocery wholesale giant United Natural Foods (UNFI) reports that it has restored its core systems and brought online the electronic ordering and invoicing systems affected by a cyberattack.

UNFI, which is also a primary distributor for Amazon's Whole Foods, said the incident has been contained and that it's now delivering products to stores at "more normalized levels."

In a separate 8-K filing with the US Securities and Exchange Commission, the grocery distributor said it believes the incident is also "reasonably likely" to have a material impact on its net income/(loss) and adjusted EBITDA for the year's fourth fiscal quarter of 2025.

"In the weeks following the incident, the Company experienced reduced sales volume and increased operational costs as the Company worked to drive solutions-oriented results for its customers. The Company has also incurred, and expects to continue to incur, direct expenses related to the investigation and remediation of the incident," UNFI said.

"The Company holds cybersecurity insurance that it currently expects will be adequate for the incident, and expects that the full claim and settlement process will extend into its 2026 fiscal year." (Sergiu Gatlan / Bleeping Computer)

Related: UNFI, SEC

The Danish government said it would strengthen protection against digital imitations of people’s identities with what it believes to be the first copyright law revision of its kind in Europe to ensure that everybody has the right to their own body, facial features, and voice.

The Danish department of culture plans to submit a proposal to amend the current law for consultation before the summer recess and then submit the amendment in the autumn.

It defines a deepfake as a very realistic digital representation of a person, including their appearance and voice.

The Danish culture minister, Jakob Engel-Schmidt, said he hoped the bill before parliament would send an “unequivocal message” that everybody had the right to the way they looked and sounded.

He said, “In the bill we agree and are sending an unequivocal message that everybody has the right to their own body, their own voice and their own facial features, which is apparently not how the current law is protecting people against generative AI.”

He added: “Human beings can be run through the digital copy machine and be misused for all sorts of purposes and I’m not willing to accept that.” (Miranda Bryant / The Guardian)

Related: The Verge, r/WorldNews, Newsbytes

Lee Seul-gi, lead researcher at the Korea Internet & Security Agency (KISA), said North Korea’s state-sponsored hacking groups are automating cryptocurrency theft with the help of AI tools like ChatGPT.

He said the country's attackers are using AI-configured scripts to automatically transfer crypto to their own wallets once a victim’s balance exceeds $200.

 Lee shared the findings of an investigation that analyzed 39 virtual server images seized in September, according to local media.

The analysis uncovered evidence of operations by two North Korea-linked groups: Kimsuky, which allegedly targeted cryptocurrency investors, and Andariel, which sought military-related documents.

According to Lee, the attackers relied on a variety of online information, such as searching Google for crypto-related Python code, browsing forums, and watching YouTube tutorials. They also heavily relied on ChatGPT to generate scripts for wallet tracking, API queries, phishing sites, and data parsing. (Yohan Yun / Cointelegraph)

Related: TechM

Researchers at Resecurity report that thousands of personal records linked to athletes and visitors of the Saudi Games have been leaked online following a cyber-attack attributed to the pro-Iranian hacktivist group Cyber Fattah. 

The leaked data includes scans of passports and ID cards, medical certificates, International Bank Account Numbers (IBANs), and credentials belonging to IT staff and government officials. 

The breach is part of a broader information operation driven by Iran and its affiliates to advance anti-US, anti-Israel, and anti-Saudi narratives in cyberspace.

What sets this incident apart is its strategic timing and geopolitical undercurrents. The leak announcement came shortly after distributed denial-of-service (DDoS) attacks on Truth Social, following US airstrikes on Iranian nuclear facilities.

Analysts view the leak as an escalation in a coordinated campaign that uses cyber tactics to undermine regional stability.

The actor behind the leak, identified by the handle “ZeroDayX,” used a throwaway profile to release the data on the dark web. This tactic, according to Resecurity, is common among nation-state actors or their proxies seeking to obscure direct attribution. (Alessandro Mascellino / Infosecurity Magazine)

Related: Resecurity, Dark Reading, SC Media

Amnesty International reports that the government of Cambodia’s response to the human rights crisis within the online scamming industry has been “grossly inadequate," with more than 50 compounds continuing to operate in the country despite purported crackdowns.

The organization released the results of a nearly two-year study involving interviews with 58 survivors of Cambodia’s scamming compounds and a review of testimony from 365 others trafficked into the industry.

The rescued workers were unwittingly ensnared in an industry that has metastasized into a global operation with deep roots in Chinese organized crime. The criminal ecosystem mainly revolves around cryptocurrency investment scams but has evolved to include a range of illicit activities. According to the United Nations Office on Drugs and Crime, scam centers in Southeast Asia may net around $40 billion annually.

The survivors described their experiences of being lured to Cambodia with promises of a job opportunity, only to find themselves trapped in hulking prison-like compounds encircled by razor wire and often with guards carrying electric batons to keep workers in line. Within these compounds, the roles for workers varied but coalesced around a single purpose: “to assist in the running of scamming operations.”

“In some cases, this meant survivors were given training and a script to directly undertake scamming,” Amnesty International wrote. “In other cases, they were put to work in other jobs at the compound such as administration or food delivery.”

Survivors described being photographed and filmed so that their faces could be used to set up bank accounts for money laundering purposes. Some engaged in pig butchering scams, when scammers build up trust through conversations with potential victims before defrauding them, while others described making sham websites to steal information or sell fake products.

The report criticized the efforts of the Cambodian government to curb the industry and, in some cases, pointed to evidence of potential cooperation between organized criminals and the police.

More than one-third of the compounds researchers studied were the site of “interventions” by police or the military, yet abuses continued to occur after visits by authorities, they allege. (James Reddick / The Record)

Related: Amnesty.org, Rome News-Tribune, Taipei Times, South China Morning Post, Khaosod English, Radio Free Asia, Nikkei Asia, Malay Mail

Seven months after unveiling its Windows Resiliency Initiative (WRI), Microsoft unveiled many new and upcoming security capabilities including a new "Windows endpoint security platform" that will enable Microsoft Virus Initiative (MVI) partners to start building their solutions to run outside the Windows kernel to avoid the CrowdStrike blue screens of death that seriously hampered oranizations across the world in July 2024.

The upcoming endpoint security platform means security products like anti-virus and endpoint protection solutions can run in user mode just as apps do. The goal of the platform, as it is for the WRI broadly, is to improve Windows stability and make recovering from unscheduled downtime faster.

Other changes involve post-crash recovery, cached Windows upgrades, printer security, and more, which are aligned with the WRI's overall goal of "helping organizations prevent, withstand, and recover from disruptions," according to a blog post by Microsoft's head of Enterprise & OS Security, David Weston.

One noteworthy change from WRI is that the company's infamous blue screen of death will now become a black screen of death. Microsoft says it’s “streamlining” what users experience when encountering “unexpected restarts” that cause disruptions. And that means a makeover to the infamous error screen.

The new BSOD also has a slightly shorter message. It’s also no longer accompanied by a frowning face and instead shows a percentage completed for the restart process. (Gladys Rama / Redmond Magazine and Associated Press)

Related: Microsoft, Windows Blog, Thurrott, Petri IT, TechRadar, Dark Reading, The Verge, BGR, CNBC, The Register, The Independent, CBC

According to internal emails, Immigration and Customs Enforcement (ICE) is using a new mobile phone app, the Mobile Fortify App, that can identify someone based on their fingerprints or face by simply pointing a smartphone camera at them.

The underlying system used for the facial recognition component of the app is ordinarily used when people enter or exit the U.S. Now, that system is being used inside the US by ICE to identify people in the field. 

“The Mobile Fortify App empowers users with real-time biometric identity verification capabilities utilizing contactless fingerprints and facial images captured by the camera on an ICE issued cell phone without a secondary collection device,” one of the emails, which was sent to all Enforcement and Removal Operations (ERO) personnel, reads.

A video posted to social media this month shows apparent ICE officers carefully pointing their phones at a protester in his vehicle, but it is not clear if the officers were taking ordinary photos or using this tool. (Joseph Cox / 404 Media)

Related: Biometric Update

Patrick Ware, a senior executive at the National Security Agency, has been named the new top civilian leader at US Cyber Command.

Ware, a 34-year NSA veteran, replaces Morgan Adamski as the command’s executive director. The No. 3 spot at the military’s digital warfighting organization is traditionally held by an NSA official on loan to Cyber Command.

Sources say Adamski, who previously served as the director of the NSA’s Cybersecurity Collaboration Center, is expected to move into the private sector.

Ware comes aboard at a critical time for Cyber Command, which has been without a permanent chief since Air Force Gen. Timothy Haugh was abruptly fired nearly three months ago, along with his NSA deputy. (Martin Matishak / The Record)

Related: US Cyber Command, Politico Pro

The Federal Trade Commission (FTC) has approved $126,000,000 in refunds to be sent to 969,173 Fortnite players as part of a settlement over allegations that Epic Games tricked users into making unwanted purchases.

At the same time, the agency has reopened the claims portal for eligible Fortnite players to submit refund claims, which will be examined for the third round of refunds.

This latest development marks the second phase of the settlement the FTC reached with Epic Games in December 2022, in which the company agreed to pay $520 million to settle allegations of violating children's privacy laws and using dark patterns to trick millions into making unintentional in-game purchases.

These charges occurred without additional confirmation, and those attempting to dispute and reverse them had to go through a complex process that made it likely for them to give up prematurely. (Bill Toulas / Bleeping Computer)

Related: FTC

Legislation introduced by Sens. Rick Scott (R-FL) and Gary Peters (D-MI) called the No Adversarial AI Act would ban federal agencies from using artificial intelligence tools produced in countries considered “foreign adversaries," a term that legally covers Russia, China, Iran, and North Korea.

It would create a federal list of AI tools produced by companies based in Russia, China, Iran, and North Korea, and prohibit US agencies from using them.

The proposal comes as concerns have grown about DeepSeek, a powerful AI tool made in China. US officials said that DeepSeek is helping China’s military and has provided user information to the government.

FedScoop reported that at least one employee at the US Department of Agriculture tried to access DeepSeek at work but was blocked. (Jonathan Greig / The Record)

Related: Senator Rick Scott, Reuters, FedScoop, Select Committee on the CCP, CoinCentral, Reuters, ExecutiveGov, The Cyber Express, South China Morning Post, SC Media, Security Week

Best Thing of the Day: Even a Measly $250 Bitcoin Payment Can Be Tracked

The FBI used a $250 Bitcoin transaction to help identify and apprehend Kai West, the elusive operator of IntelBroker.

Worst Thing of the Day: The Mission is More Important Than Your Job, Dave

Workers at Google, TikTok, Adobe, Dropbox, CrowdStrike, and other firms say that AI is changing, ruining, or replacing their jobs.

Closing Thought