The BianLian extortion group claims to have stolen 210GB of data after breaching the network of Air Canada, the country’s largest airline and a founding member of Star Alliance.
While the company said in a statement issued in September that systems compromised in the breach included “limited personal information of some employees and certain records,” the attackers now claim that the stolen documents contained much more extensive information.
The threat actors also shared screenshots of the stolen data on their dark web data leak website as proof and a detailed description of what was stolen from the airline’s network.
BianLian claims to have exfiltrated technical and operational data spanning from 2008 to 2023, including details about the company’s technical and security challenges, SQL backups, personal information of employees, data regarding vendors and suppliers, confidential documents, and archives from company databases.
“Employee personal data is only a small fraction of the valuable data over which they have lost control,” the cybercrime gang said.
“For example, we have SQL databases with company technical and security issues. You can check it out for yourself, a demo package with screenshots is available below. Backups with this data are available on our website and at your request.”
BianLian is a ransomware group targeting critical infrastructure organizations in the U.S. and Australia since June 2022. The gang switched to extortion-only attacks in January 2023 when Avast released a decryptor for their ransomware.
In a statement shared with BleepingComputer today, Air Canada said they were aware of BianLian threats but didn’t confirm the extortion group’s claims that they were behind the breach.
“BianLian had threatened to resort to exploiting the media in their unsuccessful extortion efforts,” an Air Canada spokesperson told BleepingComputer via email.
“For this reason, we cannot comment on any claims made by an anonymous group based on cybercrime and we will not add anything to what we have said publicly. We trust that media will consider this and report on issues such as this responsibly.”
The Canadian airline has yet to disclose how many employees were affected by the incident, the date when its network was breached, and when the attack was detected.
Air Canada also warned some of its customers in emails sent today to enable SMS-based multifactor authentication on their Aeroplan accounts and use strong passwords to defend against credential stuffing and password spraying attacks.
In 2018, Air Canada disclosed another security breach after unauthorized parties accessed the profile information of 20,000 of its mobile app users.
As a result of this incident, the airline was forced to lock all 1.7 million mobile app accounts to protect its customers’ data.
The attackers gained access to a wealth of data in the 2018 breach, including mobile app users’ names, email addresses, and phone numbers, as well as passport numbers, expiration dates, and country of issuance and residence.
Air Canada said at the time that customer credit card data wasn’t exposed and that no aircanada.com accounts were affected as they’re not connected to the mobile app.
This week, Air Europa, the third-largest airline in Spain, also warned customers to cancel their credit cards after attackers accessed their card information in a recent data breach.