Cyberattack Disrupts Operations at Seattle-Tacoma International Airport

In August 2024, Seattle-Tacoma International Airport (SEA) fell victim to a cyberattack, significantly affecting its operations for days. The Port of Seattle, which oversees the airport, confirmed that an “unauthorized actor” accessed SEA’s computer systems on August 24, resulting in a ransomware attack that crippled essential services. The attack disabled message boards, email communication, and forced airlines to revert to manual check-in procedures, causing widespread disruption.

Despite the severity of the incident, flight delays were minimal, as most airlines were able to use their own systems to continue operations. However, some carriers resorted to pen-and-paper methods to check in passengers and manage baggage. To mitigate confusion, the Port of Seattle deployed workers throughout the airport to assist travelers.

SEA’s critical security systems, including those managed by the Transportation Security Administration (TSA) and Customs and Border Protection, were not compromised. However, public WiFi, flight information displays, and baggage claim boards were down for more than a week after the initial breach, leading to frustration among passengers.

In response to the cyberattack, the Port took immediate action to isolate affected systems and prevent further damage. While most systems were restored within a week, the Port acknowledged that work on some external systems, such as the SEA website and internal portals, was still ongoing. Despite these efforts, some lingering effects from the attack remain, and SEA continues to operate under heightened security measures.

The Port’s Executive Director, Steve Metruck, emphasized that no ransom was paid to the attackers, a known hacker group called Rhysida. This group has been associated with ransomware attacks targeting large organizations worldwide. According to a U.S. government Cybersecurity Advisory, Rhysida commonly gains access to networks through compromised VPN credentials and employs “double extortion” tactics, where they demand payment to decrypt data and threaten to publish sensitive information if the ransom is not met.

“Our values as an organization do not align with paying criminal organizations,” Metruck stated. “We refuse to be coerced into paying ransom, and we will not use taxpayer dollars to meet such demands.”

The Port has confirmed that some data was stolen during the attack. While the investigation into the exact nature of the compromised information is ongoing, the Port is prepared to notify any affected stakeholders, including employees and passengers, if personal data has been exposed. The organization also warned that some stolen information could potentially be published on the dark web as a result of its refusal to pay the ransom.

As the investigation continues, the Port of Seattle remains focused on restoring and rebuilding its IT systems, as well as strengthening cybersecurity measures to prevent future incidents. “We are committed to enhancing our existing controls and securing our IT environment to protect both our operations and the personal information of our passengers and employees,” the Port stated.

The Port apologized for the inconvenience caused by the attack and reassured travelers that SEA remains a safe airport. “We understand the frustration this has caused, and we are working diligently to ensure the safety and security of our travelers and facilities,” they added. Despite the cyberattack, it remains safe to travel from Seattle-Tacoma International Airport.