Seattle-Tacoma Airport Cyberattack Linked to Rhysida Ransomware Group

The Port of Seattle has confirmed that the Rhysida ransomware gang was behind the cyberattack that disrupted operations at Seattle-Tacoma International Airport (SEA) and other Port facilities on August 24, 2024.

In a new press release published late last week, the Port revealed that it successfully blocked the attack shortly after it was detected, but Rhysida managed to encrypt access to several critical systems, affecting key services such as flight check-in, baggage handling, and airport Wi-Fi. The Port continues to recover, and while many systems were restored within a week, some services are still being rebuilt.

The attack occurred at one of the busiest travel hubs in the Pacific Northwest, which serves over 51 million passengers annually and is a key hub for Alaska Airlines and Delta Air Lines. SEA’s check-in kiosks, ticketing systems, and flight information boards were among the services hit, causing significant disruptions for travelers. The Port’s website, the flySEA app, and parking reservation systems also experienced outages. By temporarily disconnecting systems from the internet, the Port was able to contain the damage, though some encryption-related issues hindered a faster restoration of services.

This incident was a “ransomware” attack by the criminal organization known as Rhysida. The efforts our team took to stop the attack appear to have been successful. There has been no new unauthorized activity on our systems since that day.

— Port of Seattle – ⚓️ (@PortofSeattle) September 13, 2024

Despite the severity of the incident, the Port has refused to meet the ransom demands, following a firm stance not to negotiate with the criminal organization responsible. Port of Seattle Executive Director Steve Metruck emphasized that paying the ransom would go against the Port's values and its responsibility to safeguard taxpayer resources. However, Rhysida has yet to list the Port of Seattle on its dark web extortion portal, which suggests the group may still be holding out for negotiations.

The Port acknowledged that some data was likely stolen in the breach, but the investigation is ongoing to determine exactly what was accessed. If personal data related to employees or travelers was compromised, the Port has committed to notifying those affected. For now, heightened security measures remain in place, and the Port continues to work with cybersecurity experts and law enforcement agencies to fortify its systems against future attacks.

In the aftermath of the attack, the Port has taken several steps to strengthen its cybersecurity posture. These include enhancing identity management protocols, tightening authentication procedures, and improving system monitoring. The Port remains focused on not just restoring normal operations but also building a more resilient infrastructure to withstand future cyber threats.

As investigations continue, passengers are encouraged to stay updated on current airport operations through the Port's temporary website and social media channels. In light of the attack, SEA Airport has advised travelers to check in online, travel with carry-on luggage when possible, and arrive early to accommodate any potential disruptions.