Port of Seattle ransomware attack by Rhysida exposed 90K individuals' data. No ransom paid; employee SSNs, medical info stolen. Federal systems safe

Continue reading
The Port of Seattle, a critical hub for maritime and aviation operations in the Pacific Northwest, disclosed this week that a ransomware attack in August 2024 compromised the personal data of approximately 90,000 individuals, including current and former employees, contractors, and parking system users. The breach, attributed to the Rhysida ransomware group, marks one of the most significant cyberattacks on U.S. critical infrastructure in recent years and underscores growing vulnerabilities in legacy public-sector systems.
On August 24, 2024, Port officials detected unusual system outages consistent with a cyber intrusion. The Rhysida group, a ransomware-as-a-service (RaaS) operation active since May 2023, encrypted portions of the Port’s network and exfiltrated sensitive data. While the attack disrupted key airport systems—including baggage handling, flight information displays, and the Port’s public website—officials confirmed that no safety systems at Seattle-Tacoma International Airport (SEA) or maritime facilities were compromised. Federal partners, including the TSA and FAA, also remained unaffected.
By September 13, 2024, the Port publicly named Rhysida as the perpetrator and revealed it had refused to pay the ransom. “Paying criminal organizations contradicts our values and stewardship of public funds,” said Port Executive Director Steve Metruck. The group later leaked snippets of stolen data on its dark web site, including employee Social Security numbers and medical records.
Forensic investigations confirmed attackers accessed:
Notably spared: Payment systems, passenger travel data, and federal agency networks. The Port emphasized it retains “very little” passenger information, a factor that likely limited the breach’s scope.
The attack caused weeks of operational disruptions at SEA Airport during peak Labor Day travel:
By early September, most systems were restored, though the Port’s website remained partially offline until November 2024. “Our teams worked tirelessly to ensure travelers reached their destinations safely,” said Metruck, noting that 4,000+ staff hours were dedicated to recovery.
The decision to reject Rhysida’s ransom demand aligns with FBI and CISA advisories discouraging payments to cybercriminals. However, it came with risks. “Refusing to pay often escalates the threat of data leaks,” said Dr. Elena Torres, a ransomware analyst at the University of Washington. “But capitulating funds future attacks and rarely guarantees data recovery.”
Rhysida, known for high-profile breaches like the British Library and Sony’s Insomniac Games, has leveraged double-extortion tactics since 2023. The group’s dark web auction of Port data—a common strategy to pressure victims—yielded limited traction, according to cybersecurity firm DarkFeed.
The breach highlights systemic risks in aging IT systems used by public agencies. “Legacy systems are low-hanging fruit for attackers,” said Michael Chen, CTO of cybersecurity firm ShieldWall. “The Port’s recovery shows resilience, but this should be a wake-up call for infrastructure modernization.”
The Port has since implemented enhanced security measures, including multi-factor authentication (MFA) and network segmentation. Congress is also reviewing the incident as part of ongoing hearings on national cybersecurity readiness.
The Port plans to invest $15 million in cybersecurity upgrades over the next two years, focusing on AI-driven threat detection and employee training. “We’re committed to leading in security, not just recovering,” Metruck affirmed.
For now, travelers at SEA Airport face no lingering disruptions—a testament to the Port’s operational recovery. But the human toll of the breach lingers, with impacted individuals urged to remain vigilant for years.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been