Bangkok Airways Hit By LockBit Ransomware Attack

An aeroplane or airplane at an airport. UK border, Heathrow.

Passenger data collected by Bangkok Airways published after Thai airline reportedly declines to pay the criminal’s ransom demand

Bangkok Airways has revealed it has been the victim of a cyberattack, and passenger data has been exposed after it reportedly refused to pay a ransom.

Last Thursday the Thai airline announced that on 23 August, it “discovered that the company had been a victim of cybersecurity attack which resulted in unauthorised and unlawful access to its information system.”

Bangkok Airways is not the only airline to suffer a data breach. British Airways endured stiff financial penalties after its systems were hacked in 2018, that resulted in the data of 420,000 customers and staff being harvested by attackers as it was entered.

No payment

In May this year Air India admitted that at least 4.5 million of its passengers had their personal data exposed after hack of a IT system belonging to a third party.

Bangkok Airways however was the victim of a cyberattack from ransomware group LockBit. The airlines’ announcement about the matter came, a day after LockBit posted a message on its dark web portal threatening the airline to pay a ransom or suffer a data leak.

The airline was given five days to sort a ransom payment, but instead of paying the criminals, it opted to disclose the breach publicly.

LockBit reportedly responded by publishing 103GB of compressed files. Data exposed included business documents, as well as some passenger data.

The personal data is thought to have included names, phone numbers, email, addresses, passport details, travel history, and partial credit card numbers, among other things.

The good news is that the airline said no operational or aeronautical security systems were impacted.

Airline statement

“This incident has been reported to the Royal Thai police as well as providing notification to the relevant authorities,” said the airline.

“For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible.”

“In addition to that, the company would like to caution passengers to be aware of any suspicious or unsolicited calls and/or emails, as the attacker may be claiming to be Bangkok Airways and attempt to gather personal data by deception (known as ‘phishing’),” it added.

“The company (Bangkok Airways) will not be contacting any customers asking for credit card details and any such requests,” it warned. “In case of such event occurs, passengers should take legal actions.”

Double extortion

One security expert has noted that victims who pay a criminal’s ransomware demand, often find themselves at the risk of double extortion.

“Airlines have always been a popular target for cyber attacks due to a number of reasons,” explained Brooks Wallace, VP EMEA at Deep Instinct. “Each airline holds a vast amount of personal data on their passengers and employees which is an attractive benefit for cyber criminals looking to hold this information hostage as the basis for a second extortion demand, after initial encryption.”

“Furthermore, the industry is well funded so possibility of the hackers receiving a very large financial payout is high,” said Wallace. “If a threat actor launches a successful attack on an airline, there is the possibility that they could shut down the airline’s internal systems and ground flights altogether which would cause not only national mayhem, but have the possibility of causing global chaos.”

“Lastly, the airline industry has been severely impacted by the pandemic and is only now starting to operate more frequent and fuller flights,” said Wallace. “This makes it especially vulnerable to any threat that could slow recovery.”

“When organisations pay a ransom demand, it doesn’t necessarily mean all their troubles are over,” said Wallace. “For example, an encryption key might be provided post-payment, but sometime later, there could be a separate threat to release sensitive data that has been exfiltrated during the initial attack.”

“Double extortion is becoming increasingly prevalent,” he said. “By not paying the ransom, Bangkok Airways have removed themselves from that additional pressure. There should be more encouragement for organisations not to pay ransoms, but in parallel, investment needs to be made in stopping the attack in the first place.”