Thai airline Bangkok Airways Public Company Ltd. is the latest victim of the LockBit ransomware gang, with stolen data published on the dark web.

The attack was first disclosed to customers on Aug. 28 via an email. The email described the attack as a “cybersecurity attack” that resulted in unauthorized and unlawful access to the company’s information systems. Bangkok Air said it launched an investigation, hired a third-party cybersecurity firm to help and reported the incident to the Royal Thai Police.

To its credit, it admitted upfront that data had been stolen and detailed the data. Stolen data includes passenger names, nationality, gender, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information.

Bangkok Air added that as a caution, customers should contact their banks or credit card providers and follow their advice. In addition, the advice included changing any compromised passwords as soon as possible. The company also said that customers should be aware of any suspicious and unsolicited calls and/or email as “the attacker may be claiming to be from Bangkok Airways and intends to gather your personal data.”

The extent of the warning from a Thai airline is highly professional, though somewhat misguided. The LockBit ransomware gang isn’t going to phish customers; it’s the people who get their hands on the stolen data who will.

LockBit, famous for ransomware attacks on companies such as Accenture PLC, is a double-tap ransomware gang. The double-tap is that it both encrypts data and steals it, demanding a ransom payment for both a decryption key and a promise not to publish the stolen data. In this case, Bangkok Air did not pay the ransom payment and all the stolen data has now been published.

The Register reported today that the size of the published stolen data is in dispute. The stolen data is either 103 gigabytes or more than 200 GB, according to competing claims.

The amount LockBit demanded from Bangkok Airways is not known. It had previously demanded ransom payments of up to $50 million. Asking a Thai airline for a payment that big at a time when most of them are teetering on the brink of bankruptcy amid COVID-19 lockdowns and flying restrictions is an extremely hard ask.

“It’s very important that organizations not only protect their backup infrastructure so they can recover after a breach but also protect their most important data and get an alert on large data leaving their infrastructure,” Quentin Rhoads-Herrera, director of professional services at managed detection and response firm Critical Start Inc., told SiliconANGLE. “In this instance, the data LockBit has obtained can be used to extort Bangkok Air for additional cryptocurrency or they can release it as a way to damage the brand of Bangkok Air at the same time of receiving notoriety as a criminal organization.”

The primary thing Bangkok Air needs to do now, he added, is identify the point of entry used by LockBit. “If LockBit group was able to gain entry due to an unpatched externally facing system then not only do they need to evaluate their current external exposure, but they also need to improve their overall asset inventory and patch management processes to ensure systems are updated often,” he said.

Photo: Bangkok Airways