Sea-Tac Airport cyberattack caused by global ransomware gang, Port says

A ticket agent with WestJet Airlines at Seattle-Tacoma International Airport writes a luggage tag by hand at the airport on Aug. 26, after a cyberattack disrupted computer systems. The cyberattack, by a group called Rhysida, resulted in internet and technology outages during the busy traveling season leading up to Labor Day. (Ellen M. Banner / The Seattle Times)


Seattle Times staff reporter

A ransomware gang responsible for dozens of financially motivated attacks was behind a cybersecurity incident that has disrupted Seattle-Tacoma International Airport operations for about three weeks, the Port of Seattle said Friday.

The cyberattack on Aug. 24, by a group called Rhysida, resulted in internet and technology outages during the busy traveling season leading up to Labor Day. Agents at common-use gates that rely on Port software had to handwrite boarding passes, and airlines sorted through a luggage mess that resulted in bags getting delivered to travelers well after they reached their destinations.

“It was a fast-moving situation, and Port staff worked to quickly isolate critical systems,” the Port’s news release said.

Most of those issues have since been resolved, but Rhysida encrypted access to some data, the Port said. The Sea-Tac Airport website and app remained unavailable Friday, and flight information displays only came back online Wednesday.

Assessing exactly what data was stolen takes time, said the Port’s news release. Employees and passengers will be informed if the investigation determines personal data was stolen.

Rhysida emerged last year and was also behind the British Library cyberattack. In that October 2023 ransomware attack, Rhysida stole emails and documents containing employees’ passport scans and work contracts and demanded 20 bitcoins (about £600,000 at the time) from the library. The U.K. National Cyber Security Centre CEO called it “one of the worst cyber incidents in British history.”

The ransomware gang is believed to be Russian, and it has primarily targeted victims in the education, health care, manufacturing, information technology and government sectors.

The efforts by Port of Seattle staff to stop the attack “appear to have been successful,” the Friday news release said. There has been no new unauthorized activity on Port systems since Aug. 24. The news release said it remains safe to travel from the airport and use the Port of Seattle’s maritime facilities.

“The Port of Seattle has no intent of paying the perpetrators behind the cyberattack on our network,” said Steve Metruck, the Port’s executive director, in a statement. “Paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.”

The Port noted that because it’s refusing to pay the ransom, the ransomware group may respond by posting data they claim to have stolen on the dark web.

The airport’s temporary website, portseattle.org, provides updates on operations and technological availability.

The Port of Seattle is “taking additional steps” to further secure its IT services by strengthening identity management and authentication and enhancing its monitoring, said the news release.
Lauren Girgis: 206-652-6591 or lgirgis@seattletimes.com;