Bangkok Airways refused to pay ransom following data breach, resulting in data being dumped online


Bangkok Airways have suffered a data breach and refused to pay ransom which resulted in the data being dumped online. Airlines have always been a popular target for cyber attacks due to a number of reasons. Each airline holds a vast amount of personal data on their passengers and employees which is an attractive benefit for cyber criminals looking to hold this information hostage as the basis for a second extortion demand, after initial encryption.

Furthermore, the industry is well funded so possibility of the hackers receiving a very large financial payout is high. If a threat actor launches a successful attack on an airline, there is the possibility that they could shut down the airline’s internal systems and ground flights altogether which would cause not only national mayhem, but have the possibility of causing global chaos.

Lastly, the airline industry has been severely impacted by the pandemic and is only now starting to operate more frequent and fuller flights. This makes it especially vulnerable to any threat that could slow recovery.

When organisations pay a ransom demand, it doesn’t necessarily mean all their troubles are over. For example, an encryption key might be provided post-payment, but sometime later, there could be a separate threat to release sensitive data that has been exfiltrated during the initial attack. Double extortion is becoming increasingly prevalent. By not paying the ransom, Bangkok Airways have removed themselves from that additional pressure. There should be more encouragement for organisations not to pay ransoms, but in parallel, investment needs to be made in stopping the attack in the first place.

The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A “prevention-first” mindset is also key – attacks need to execute and run before they are picked up and checked to see if they are malicious, sometimes taking as long as 60 seconds or more. When dealing with an unknown threat, 60 seconds is too long to wait for an analysis. Organisations need to invest in solutions that use technology such as deep learning which can deliver a sub-20 millisecond response time to stop a ransomware attack, pre-execution, before it can take hold.