Gang says it stole more Air Canada data than the company admits

Share post:

The BianLian ransomware gang says Air Canada hasn’t been forthright about the amount of data it stole in last month’s cyber attack.

Last month the airline said an attacker “briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records.” The statement didn’t say how much data was copied.

But this week, in an attempt to pressure the airline, the gang said on its data leak site the company “is only telling half-truths. Employee personal data is only a small fraction of the valuable data over which they have lost control. For example, we have SQL databases with company technical and security issues.”

The gang alleges it has Air Canada technical and operational data from 2008 through 2023, information on the company’s technical and security issues, SQL backups, and unspecified confidential documents as well as employee personal data.

As proof it posted a screenshot of alleged stolen file names, and samples are available for viewing.

Brett Callow, a British Columbia-based threat analyst for Emsisoft who re-posted the gang’s message on X, doesn’t know if the listed data is really from Air Canada.

IT World Canada has asked the airline for comment.

The gang also is trying to put itself in a good light, saying it didn’t install ransomware, only stole data. “Realizing the potential damage we did not cause any damage to [Air Canada’s] infrastructure or internal resources, data exfiltration operation only,” the message says.

Like many other ransomware gangs, BianLian has a double extortion strategy, copying data and threatening to sell or give it away as well as encrypting as many servers as it can. Organizations are then squeezed to pay up to get the stolen data back as well as to get decryption keys.

However, Callow said, since late last year it has stopped encrypting victims’ data and is focusing on information theft. Or, he added, it may still be doing ransomware attacks but under a different name.

There may be several reasons for the shift in strategy, he said: The gang may believe overseeing encryption code and managing decryption keys “is not necessary to make a profit.” It may also hope that merely stealing data makes the gang less of a target for law enforcement, which gets active in high-profile attacks. And BianLian may hope that organizations have “less of a moral objection” to paying what is perceived as strictly a criminal group as opposed to a ransomware gang.

However, Callow agreed, paying a criminal group a ransom still encourages cyber attacks.

The post Gang says it stole more Air Canada data than the company admits first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways