In late August, TAP Air Portugal was hacked by a group calling itself Ragnar Locker, and the company has apparently refused to cooperate with the intruders leading to a more extensive leak this week.
At first, the group released roughly 115,000 customer datasets which they extracted by exploiting a vulnerability in the carriers IT infrastructure but now it’s apparently 10 times as much.
In addition to the customer data, they now exposed confidential corporate documents about employees, partners as well as contract details with other carriers.
TAP had never really confessed to being hacked, rather calling it a “system instability”.
The hack was first reported in early September by some newspapers and data security websites.
Securityweek wrote on September 1st:
The Ragnar Locker ransomware gang says it has exfiltrated customer data in a cyberattack on Portuguese state-owned flag carrier airline TAP Air Portugal.
The incident was initially disclosed on August 26, when TAP announced on Twitter that it managed to foil the cyberattack before the threat actor could access any customer data.
“TAP was the target of a cyberattack, now blocked. Operational integrity is guaranteed. No facts have been found that allow us to conclude that there has been improper access to customer data. The website and app still have some instability. Thank you for your understanding,” the company said.
On August 31, however, the Ragnar Locker ransomware gang boasted on their leaks website that the airline’s systems were in fact breached and that customer data was exfiltrated.
The threat actor also attempted to shame TAP, claiming that the data breach could result in the largest lawsuit in history, inferring that the personal information of at least hundreds of thousands of TAP customers was impacted in the incident.
The gang also posted a screenshot allegedly proving that data was indeed stolen during the cyberattack. The screenshot appears to include names, addresses, email addresses, phone numbers, corporate IDs, travel information, nationality, gender, and other personal information.
An alert that TAP published on its website on September 1 makes no mention of a data leak, but does inform customers that “the website and the app are still registering some instability.”
So far so good. We haven’t heard anything else in the last three weeks so one would have thought that’d be the end of it but apparently the hackers now entered round two.
Expresso Portugal reported today that the hackers tried to negotiate a ransom payment with the company but TAP wouldn’t have any of it and as a result, there are now 1.5 million customer datasets plus more of the company itself floating around on the dark web.
The cybercriminal group Ragnar Locker carried out the threat it had been making and this Monday published 581 gigabytes (GB) of data that it says relates to 1.5 million TAP customers. In a message published on the Dark Web, the Ragnar Lockers also guarantee that they continue to have access to TAP’s computer systems. In addition to the tables with addresses, telephone numbers and customer names, the data leak presents identification documents of people who appear to be professionals or partners of TAP, as well as confidential agreements with several companies and relationships with other airlines, confirmed the Express, after accessing the files.
“The most interesting thing is that they [TAP] have not yet resolved the vulnerabilities in the network itself and this type of incident could happen again. By the way, if anyone needs remote access to TAP Air [sic], let us know”, reads the end of the message that Ragnar Locker has just published on the Dark Web.
TAP has been working with the Judiciary Police, the National Cybersecurity Center and Microsoft with the aim of remedying the flaws that led to the leak of information. Contacted by Expresso, TAP responds that, “thanks to cybersecurity systems and the quick action of the in-house Information Technology team, the intrusion was contained at an early stage, before causing damage to operational processes. TAP’s operations are proceeding normally”, reiterates TAP, without commenting in detail on the allegation of remote access by the hackers. “We will therefore continue to take all necessary measures”, adds TAP on the cyberattack.
The publication of this second wave of data comes just over a week after the group specialized in asking for ransoms to unlock infected computers published on the Dark Web the data of 115 thousand customers and sensitive information from TAP professionals, as evidence of the files it managed to obtain. divert through alleged vulnerabilities in the carrier’s computer networks.
Expresso found that TAP did not accept the cybercriminals’ suggestion and did not negotiate the payment of a ransom to prevent the publication of the data – a retaliation that is recurrent when companies do not pay ransom to unlock infected computers, because they made backup copies that quickly arrange for systems to be replaced.
It’s hard to say what the right course of action is here and impossible to say without knowing specifics. On one hand it’s never good to pay any ransom as it opens the door to further extortion and who guarantees that the hackers are destroying the information they retrieved from TAP’s systems (highly unlikely)? Law enforcement typically tells affected entities that they shouldn’t pay any ransom.
That being said, the hack was only possible as the IT specialists exploited a hole in TAP’s security protocol and therefore the carrier should have probably taken some effort and avoid having all this information spread around even if they can’t be 100% certain that it can be kept under wraps.
This is the notice posted together with the large files available for download:
Not that I want to condone or excuse this criminal activity but it really seems like TAP hasn’t made any effort in correcting its security deficiencies ever since they first had knowledge of the breach.
As it became clear the company wouldn’t pay and also made no progress in plugging the hole the hackers just posted all the data on the dark web and as a result both consumer and corporate data is now in the open.
Conclusion
If you’re a TAP Air Portugal customer you might want to have a good look at your passwords and other confidential information associated with your TAP accounts such as the online portal and loyalty login. Passwords across the bench should be reset as your information is now most likely compromised as a result of both the hacker’s criminal energy as well as TAP’s incompetence to safeguard their database.
Given the rather relaxed approach TAP displayed here I can imagine them being indeed liable under the European data protection laws which can carry massive fines as companies such as British Airways already had to suffer from.