IOTW: Ransomware thieves publish major airlines’ passenger information

Just a few weeks after global consultancy Accenture fell prey to a cyber-attack with a US $50mn price tag, the ransomware group LockBit attacked Bangkok Airways, stealing and encrypting a massive haul of passenger information, including passport and credit card data.

In a statement, the Thai airline announced that it had discovered the attack three days earlier and apologized to customers, saying that it was “deeply sorry for the worry and inconvenience that this malicious incident has caused” and that it had alerted the Royal Thai Police, along with relevant authorities.

The airline urged customers to stay alert to phishing emails or phone calls that may be made using the information and to be aware that Bangkok Airways would not contact them to request any personal or financial information. In addition, passengers were urged to contact their bank or credit card provider to change any affected passwords or security questions.

The facts

On August 25, 2021, LockBit alleged via an announcement on its leak site that it had accessed and stored a large amount of Bangkok Airways’ data via its RaaS ransomware and that it would be released as 103GB of compressed files on August 30, 2021, if the airline refused to pay the undisclosed ransom amount.

Despite no obvious provocation other than the travel company’s press release apologizing for the data breach and reassuring customers, LockBit released the files on August 28, 2021. In another post on its leak site, the files were apparently shared, with an updated threat to further release more than 200GB of the airline’s passenger data.

In a statement made to IT website Bleeping Computer, the ransomware actors hinted that the attack on the Thai airline, as well as an earlier attack on Ethiopia Airways and an unnamed airport, were all made possible by the Accenture hack.

As first published on Bleeping, Accenture hit back, replying: "We have completed a thorough forensic review of documents on the attacked Accenture systems. This [LockBit's] claim is false. As we have stated, there was no impact on Accenture’s operations, or on our client’s [sic] systems. As soon as we detected the presence of this threat actor, we isolated the affected servers.”

Lessons learned

While the airline claims that its aeronautical, safety and operational systems have not been hit by the breach, the leak of passport, address, credit card and historical travel information is a huge blow to its reputation – particularly as the travel industry opens again and airlines finally have potential to earn once more as pandemic-related travel restrictions ease.

If the attack did come via information gleaned in the Accenture incident, the airline’s IT security team could possibly have prevented the attack by doubling down on its security measures, conducting a fast assessment of any potential vulnerabilities, and particularly, assessing potential entry points for ransomware attacks.

Quick tips

• Make sure your staff is cyber security trained, including at point-of-sale and customer service hardware points.
• Conduct routine vulnerability assessments.
• Consider adopting a zero-trust architecture.
• Conduct regular pen tests.
• Check for ransomware using legitimate, security-recommended software.
• Use a CASB for cloud activity.
• Make sure you are mobile and IoT secure, with, for example, SASE.