Sea-Tac Airport official testifies hackers demanded ransom of about $6M in bitcoin
Sep 20, 2024, 5:04 AM | Updated: 5:05 am
(Image courtesy of the U.S. Senate/commerce.senate.gov)
Testifying on Capitol Hill in Washington, D.C., Wednesday, a Seattle-Tacoma International Airport (Sea-Tac Airport) official confirmed the hackers who entered the Port of Seattle systems last month demanded a ransom of 100 bitcoin — or around $6 million — in exchange for deleting personal data they had stolen.
Lance Lyttle, Sea-Tac Airport’s aviation managing director, spoke and answered questions in front of the Senate Committee on Commerce, Science and Transportation at a hearing titled “Aviation Cybersecurity Threats.” The committee is chaired by Washington’s Democratic U.S. Sen. Maria Cantwell. While there, he discussed the Aug. 24 cyberattack that took down many Port of Seattle and Sea-Tac Airport services, notably leaving airport staff to scramble significantly to get the tens of thousands of travelers arriving at and leaving from the airport to their final destinations.
The entire hearing can be viewed on the U.S. Senate’s website here and Lyttle’s extended comments can be viewed as a PDF here.
Officials confirmed the cyberattack brought down websites, email and many airport services and it disconnected phone services. Cantwell herself said she was affected by the cyberattack that affected many services at Sea-Tac Airport. Some areas remain affected, including the Port of Seattle website.
“The display boards were down for a week. I personally ran through the airport trying to catch a flight, not sure if I was going to the right gate,” Cantwell said during the hearing. “I had something on my device, but since all the boards were dark, I had no idea if I was going to get to my gate, or if that was really going to be the gate.”
“Every time we witness these technology failures, consumers are the ones left holding the bag,” Cantwell also said.
Her office called out those portions of her statement in a news release emailed to media members Wednesday as well.
Trouble for travelers: Some people waited hours in the aftermath of the airport cyberattack
More information on actions of the ‘threat actor’
The incident was a ransomware attack put into motion by the criminal organization known as Rhysida, according to an agency news release distributed last week. The Port of Seattle added that the work its team did to stop the attack “appear to have been successful” as there has been “no new unauthorized activity on Port systems since that day.”
Lyttle provided additional information in his testimony Wednesday, explaining during the hearing and in written comments submitted to the committee that Rhysida, who Lyttle called the “threat actor” attempted to secure a ransom payment from the Port in exchange for “providing a decryption key and deleting data they copied.” Lyttle went on to say that on Monday, Rhysida posted the Port of Seattle’s name on their “leak site where they identify victims, as well as a copy of eight files stolen from Port systems.”
The criminal group’s plan is to publish others in seven days unless the Port of Seattle pay 100 bitcoin. Given that the value of 1 bitcoin has hovered between $54,000 and $64,000 in the last month, the group has demanded a ransom of about $6 million to stop the dissemination of private information.
Members of the Port of Seattle staff are working to review the files published on the leak site and others the Port believes the criminal group copied, Lyttle said. From there, the Port “will notify any individual whose personal information has been compromised, and will provide appropriate support.” The Port added it has been able to validate that its backups were largely intact.
Lyttle reiterated the Port of Seattle’s previously expressed position that it won’t pay the ransom to Rhysida for multiple reasons.
“With regards to paying the ransom, that was contrary to our values, and we don’t think that’s the best use of public funds. So, we decided not to pay it,” Lyttle said during his testimony.
Lyttle added that while his organization “believes strongly” this is the right approach, it’s also “not a decision that we take lightly.” He went on to say that if the Port finds any employee’s or individual’s personal information has been compromised, it will notify the affected parties and “provide appropriate support.”
Previous coverage: Outage was ransomware attack; ransom hasn’t been paid, Port of Seattle confirms
Trying to prevent this happening again in the future
Using the phrase “stronger after” in his written comments and his testimony, Lyttle went on to discuss what can be done to prevent attacks like this from happening in the future, calling out “ways that Congress and federal agencies can help the aviation industry be even more resilient in the face of these ongoing threats and challenges.”
Lyttle brought up three points related to communication and sharing information to potentially impacted parties within the industry.
- Government agencies should continue to proactively prioritize the dissemination of timely and actionable cyber threat information “as soon as reasonably practicable.”
- Classified briefings should be provided at the earliest opportunity to highlight new and emerging threats.
- In accordance with a TSA mandate, airports and airlines have been reporting cybersecurity incidents to CISA, and there are opportunities to improve the two-way sharing of information.
“The aviation industry benefits greatly from information about common cybersecurity incidents, and we need to make sure we are optimizing our security tools, talent, and properly resourcing our cyber ecosystems to focus mitigation efforts,” Lyttle explained in his written comments.
Steve Coogan is the lead editor of MyNorthwest. You can read more of his stories here. Follow Steve on X, or email him here.