Gang says it stole more Air Canada data than the company admits

The BianLian ransomware gang says Air Canada hasn’t been forthright about the amount of data it stole in last month’s cyber attack.

Last month the airline said an attacker “briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records.” The statement didn’t say how much data was copied.

But this week, in an attempt to pressure the airline, the gang said on its data leak site the company “is only telling half-truths. Employee personal data is only a small fraction of the valuable data over which they have lost control. For example, we have SQL databases with company technical and security issues.”

The gang alleges it has Air Canada technical and operational data from 2008 through 2023, information on the company’s technical and security issues, SQL backups, and unspecified confidential documents as well as employee personal data.

As proof it posted a screenshot of alleged stolen file names, and samples are available for viewing.

Brett Callow, a British Columbia-based threat analyst for Emsisoft who re-posted the gang’s message on X, doesn’t know if the listed data is really from Air Canada.

IT World Canada has asked the airline for comment.

The gang also is trying to put itself in a good light, saying it didn’t install ransomware, only stole data. “Realizing the potential damage we did not cause any damage to [Air Canada’s] infrastructure or internal resources, data exfiltration operation only,” the message says.

Like many other ransomware gangs, BianLian has a double extortion strategy, copying data and threatening to sell or give it away as well as encrypting as many servers as it can. Organizations are then squeezed to pay up to get the stolen data back as well as to get decryption keys.

However, Callow said, since late last year it has stopped encrypting victims’ data and is focusing on information theft. Or, he added, it may still be doing ransomware attacks but under a different name.

There may be several reasons for the shift in strategy, he said: The gang may believe overseeing encryption code and managing decryption keys “is not necessary to make a profit.” It may also hope that merely stealing data makes the gang less of a target for law enforcement, which gets active in high-profile attacks. And BianLian may hope that organizations have “less of a moral objection” to paying what is perceived as strictly a criminal group as opposed to a ransomware gang.

However, Callow agreed, paying a criminal group a ransom still encourages cyber attacks.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs