Portuguese Airliner Vows Defiance Against Extortion HackersRagnar Locker Leak Site Publishes Data of 1.5 Million Customers
Portugal's national airline publicly vowed Wednesday not to negotiate with hackers publishing customer information on the dark web nearly a month after the airline first detected a cybersecurity intrusion.
See Also: 2022 Unit 42 Incident Response Report
The Ragnar Locker ransomware-as-a-service group late last month claimed responsibility for the attack after state-owned TAP Air Portugal downplayed the cybersecurity incident, asserting that it appeared no improper access to customer data had occurred.
Now, the Ragnar Locker leak site hosts the details of 1.5 million TAP customers.
"We do not want to negotiate, and we are not willing to reward this behavior," airline CEO Christine Ourmières-Widener said in a video message apologizing to customers. "We hope you support us in this ethical attitude."
The airline says it began investigating a cyber incident on Aug. 25 and stopped it in its early stages. Hackers still managed to obtain customer information, including name, nationality, gender, date of birth, address, email, telephone number, customer registration date and frequent flyer number.
TAP says it has found no indication of payment card details being exfiltrated, and frequent flyer program data was not compromised. The airline nonetheless recommends users update their passwords.
It also warned customers they could be targeted by phishing attacks and other forms of digital fraud due to online exposure of their personal data. The airline "will not send direct messages on this subject to individual customers by any means," it said.
TAP added that all affected systems have been isolated and the cleanup is in progress. The airline is also taking help from external experts to further investigate, recover and strengthen its cybersecurity measures in specific areas of concerns.
Ragnar Lockers says otherwise, writing on its leak site that TAP has not fixed the vulnerability in its network that the group exploited during the attack.
The airline did not respond to Information Security Media Group's request for a comment.