The hackers behind last month’s cyberattack on Seattle-Tacoma International Airport are demanding a 100-bitcoin ransom — about $6 million — for stolen data, though just how much information was accessed, and what kind, is still unclear.

During a Wednesday morning hearing with the U.S. Senate’s Commerce, Science and Transportation Committee, the airport’s aviation managing director, Lance Lyttle, said an internal investigation of the cyberattack remains ongoing, but that officials have confirmed that ransomware gang Rhysida was behind the hack.

On Monday, Rhysida posted on its darknet leak site what appears to be a copy of eight files stolen from Port of Seattle systems, Lyttle said. The Port, which owns and operates Sea-Tac, has decided not to pay the ransom, he added.

“We’re currently reviewing the files published on the leak site, as well as others we believe were copied,” he told the committee. “ … With regards to paying the ransom, that was contrary to our values and we don’t think it’s the best use of public funds.”

It’s not yet clear how much data the ransomware group accessed in total.

Sea-Tac spokesperson Perry Cooper confirmed the ransom demand, but declined to clarify exactly what data Rhysida had posted this week.

However, Australian cybersecurity news outlet Cyber Daily reported the sample data posted included a scan of a current passport belonging to a Port program manager and several tax forms with personal information such as Social Security numbers and signatures, along with other documents. Rhysida also posted a detailed map of Portland International Airport, according to Cyber Daily.

Rhysida has put the data up for auction that will close next Monday, Cyber Daily reported. Rhysida claimed it has more than 3 terabytes of data, according to the outlet.

“Our investigation is continuing as we focus on recovery,” Cooper wrote in an email. “If we discover any personal information has been compromised we will reach out to those individuals who may be involved.”

The Port will provide credit monitoring services to anyone impacted by the cyberattack, Lyttle said.

The airport first identified the cyberattack on Aug. 24, when websites, email and phone services went down, disrupting Sea-Tac systems and travel plans. Agents at common-use gates that rely on Port software had to handwrite boarding passes, and airlines sorted through a luggage mess that resulted in bags getting delivered to travelers well after they reached their destinations.

Most issues have been resolved, but Rhysida was able to encrypt access to some data and obtain some information, the Port said in a statement last Friday.

Since then, Port employees have spent more than 4,000 hours assisting with operating and customer service, Lyttle said Wednesday. There has been no new unauthorized activity on Port systems since Aug. 24, and it remains safe to travel from the airport and use the Port of Seattle’s maritime facilities, last week’s statement said.

However, Lyttle said the airport’s ongoing renovations and capacity limitations “magnified” the cyberattack’s impact to the traveling public.

Lyttle told Sen. Maria Cantwell, the committee’s chair, that he is not yet sure why Sea-Tac was targeted. Cantwell said she personally was trying to catch a flight that weekend and ran through the airport unsure if she was going to the right gate.

His team plans to produce an independent after-action report once the investigation wraps up, Lyttle said.

Lyttle added that he’s proud of the way his team “sprung into action” and that he’s looking forward to working with other government agencies and lawmakers to “prioritize the dissemination of timely, actionable, cyberthreat information.”

“Cybercriminals are always evolving their tactics, and so we are continuing to work to further harden our cyber defenses, including strengthening our identity management and authentication protocols, as well as enhancing our monitoring,” Lyttle said.

Lyttle also told U.S. senators it would be helpful to have federal cybersecurity agencies consolidate all the information they receive from similar cyberattack reports, come up with best practices and disseminate them back to those in the aviation industry.

“Currently, it’s a one-way street that we’re sending the information,” Lyttle said. “We’re not getting back, in a timely enough manner, recommendations of how to improve our infrastructure. That would make a major difference.”

Rhysida, believed to be a Russian group, emerged last year and was also behind the British Library cyberattack. In that October 2023 ransomware attack, Rhysida stole emails and documents containing employees’ passport scans and work contracts and demanded 20 bitcoins (about 600,000 pounds at the time) from the library. The United Kingdom National Cyber Security Centre CEO called it “one of the worst cyber incidents in British history.”

The Seattle Public Library has also been recovering from a similar attack in May.

The airport’s temporary website, portseattle.org, will continue to provide updates on operations.

©2024 The Seattle Times. Visit seattletimes.com. Distributed by Tribune Content Agency, LLC.