The BianLian ransomware group has threatened to leak extensive information stolen during the Air Canada data breach.
In September 2023, Canada’s largest airlines acknowledged a breach, later claimed by BianLian. Air Canada said that undisclosed attackers briefly obtained limited access to internal systems “related to limited personal information of some employees and certain records.”
However, BianLian has called Air Canada’s explanation into question as ‘half-truths’ while the carrier accuses the group of attempting to extort via the media.
BianLian: Air Canada’s data breach exposed more than limited customer data
BianLian ransomware claims to have stolen 210 GB of technical and operational data spanning from 2008 to 2023. The leaked trove included information about vendors and suppliers, SQL backups, confidential documents, database archives, and employee personal details.
The cybercrime group stressed that Air Canada’s customer data breach was the least of the company’s concerns, considering the vast amount of information leaked.
“As for Air Canada data breach disclosure, they’re only telling half-truths,” BianLian said. “Employee personal data is only a small fraction of the valuable data over which they have lost control.”
“For example, we have SQL databases with company technical and security issues. You can check it out for yourself, a demo package with screenshots is available below. Backups with this data are available on our website and at your request.”
Although cover-ups exist, uncertainty persists about whether the company took a complete inventory of all information potentially compromised. Typically, the extent of a data breach becomes more apparent weeks or months after the initial incident.
“Announcing a cyberattack is damaging enough, but announcing a cyberattack with incorrect information can cause permanent damage,” said Ryan McConechy, CTO at Barrier Networks. “Air Canada must continue its investigations into the breach to work out the validity of the claims. However, making false announcements on victims is something ransomware gangs avoid as it damages their reputations and profitability opportunities.”
Although BianLian avoided encrypting Air Canada’s IT infrastructure because of the “potential damage” it would have caused, the group faulted the company’s data breach incident response.
“Air transportation companies must remove all software that could compromise their systems and, ultimately, the people for whom they are responsible. As far as we can tell, this was not done; operations continued,” noted the ransomware group.
According to Mike Newman, CEO of My1Login, the Air Canada data breach could endanger the company’s infrastructure, customers, and employees.
“If this high volume of data has been compromised, Air Canada must inform impacted parties as a priority, so they can be on alert for fraud and phishing scam, which are aiming to exploit them further by stealing more of their confidential data,” said Newman.
BianLian ransomware extorts Air Canada through the media
Air Canada is accusing the extortion group of attempting to extort the company via the media after failing to secure ransom payment.
“BianLian had threatened to resort to exploiting the media in their unsuccessful extortion efforts,” saod Air Canada.
However, the company declined to comment on specific allegations, terming them “claims made by an anonymous group based on cybercrime.”
Additionally, the air transporter implored the media to avoid amplifying the ransomware group’s message. “We trust that media will consider this and report on issues such as this responsibly,” Air Canada spokesperson said.
Air Canada has suffered at least two data breaches in the last five years. In August 2018, threat actors breached the carrier’s mobile apps and accessed the names, birth dates, email addresses, phone numbers, and passport information of at least 20,000 users. The company responded by locking down 1.7 million accounts and requesting password resets.
BianLian earned a top spot on cybercrime charts by targeting critical infrastructure in the United States and other countries. In May 2023, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed that the ransomware gang compromises its victims via leaked Remote Desktop Protocol (RDP) credentials.