Sensitive data leaked on the dark web: The hack of Swissport, the world’s largest airport ground services company, may be worse than the company says

At the beginning of February, a hacking attack against Swiss International Airport Services Ltd (Swissport) made headlines worldwide. Air traffic was delayed due to the temporary unavailability of certain systems.

Swissport, the world's largest airline and airport service provider, is headquartered in Opfikon in the canton of Zurich. swissport spokesman Stefan Hartung said last Thursday, "Preliminary analysis indicates that there is an extremely high probability that no sensitive data was compromised." But that should have been a mistake.

Behind the attack is the ransomware group BlackCat, also known in the field as ALPHVM. since Tuesday, the ransom hackers have been selling all their stolen data on their dark web site. According to their own account, 1.6 terabytes of internal data fell into their hands.

As evidence of the data breach and to highlight their threat, they released a small portion of the data: including copies of passports of different nationalities, application documents and excerpts of confidential audit reports. For example, in one form, names, nationalities, religions, phone numbers and assessments from job interviews can be seen. Whether this data came from Swissport (which seems likely) or from other hackers is not certain.

The hackers have threatened to release more sample data soon in order to put further pressure on the hacked company. The company's latest statement reads.

"For Swissport, the security of data on our systems is of the highest priority. swissport has responded to cyber attacks affecting multiple of our systems. As part of our analysis, we discovered that unauthorized individuals placed data allegedly stolen from Swissport online. We take these claims seriously and are analyzing the data that has been released as part of our ongoing investigation into the incident.

Upon learning of the incident, we immediately shut down the affected systems, launched an investigation, notified law enforcement authorities, and brought in leading cybersecurity experts to assess the extent of the attack. At this time, we are unable to provide further details.

We are in dialogue with our customers, partners and employees. swissport regrets the situation this incident has caused to our customers, partners and employees."

Swissport

Last week, Swissport said, "The FDPIC (editor's note: Federal Data Protection and Information Commissioner) has not yet been notified, as the IT security incident did not result in an outflow of data, thereby creating a corresponding obligation to inform."

The ransomware attack on the baggage handler's IT infrastructure began two weeks ago Thursday morning and was immediately discovered, according to the companies involved. "Our IT security systems detected the incident early on, so we were able to take immediate, effective and successful defensive measures." A media spokesperson said.

IT systems for planning personnel, aircraft and freight were affected. swissport was able to (partially) recover its systems relatively quickly, but contrary to initial assumptions, it became clear that the data breach could not have been prevented or could not have been completely prevented.

In 2021, Swissport is responsible for ground handling services for approximately 97 million passengers and provides services such as boarding, cargo services and aircraft refueling.

This cybercrime group was behind the hack

Swissport is dealing with an extremely dangerous ransomware ring. BlackCat is currently targeting companies from countries such as the United States, Ukraine and Switzerland and is attacking companies with widely used Windows and Linux systems.

In Germany, for example, the ransomware group caused a stir earlier in the year when hackers crippled the nation's Oiltank-ing oil depot, which supplies large companies such as Shell.

BlackCat was active for only a short time and caused a stir with an apparently very sophisticated and advanced encryption software. blackCat encrypts and steals data to give victims an extra edge when they can restore data from backups.

BlackCat, also formerly known as BlackMatter or DarkSide, is likely the same group of criminals that previously worked with the particularly active ransomware group REvil. 2021, REvil was involved in one of the largest ransomware hacks to date, infiltrating 800 to 1,500 companies worldwide and stealing valuable data. 2021 In early June, REvil attacked JBS, the world's largest meat company, with ransomware, crippling much of its production in North America and Australia.

In short: Swissport hackers are likely experienced and professional attackers in ransom work.

Why victims should not pay the ransom

The National Cyber Security Center NCSC advises against paying the ransom, warning that "there is no guarantee that criminals will not release the data or derive other benefits from it after paying the ransom. In addition, each successful extortion provides an incentive for attackers to continue, funding the further development of the attack and facilitating its spread."

If victims are still considering paying the ransom, NCSC strongly recommends discussing these steps with state police.

The website https://www.nomoreransom.org/ offers tips for identifying malware and the option to download keys already known. nomoreransom.org is a joint project of the Dutch police and Europol, with the participation of the Swiss Confederation.