BianLian Extortionists Threaten to Release Data Stolen in Air Canada Breach

A cybercrime group known as BianLian has claimed responsibility for the September data breach of Air Canada, and threatens to release troves of data, including personal information of employees.

Canada’s largest airline confirmed in September that criminals had obtained access to its internal systems, making off with “certain records” and limited information of some employees.

Extortionists with the BianLian cybercrime group this week took responsibility for the attack, claiming to have exfiltrated some 210 GB of data, including technical and operational documents, SQL backups, personal information of employees, data on vendors and suppliers, and more.

The trove also includes details of the company's technical and security challenges, the attackers claim, adding that “Employee personal data is only a small fraction of the valuable data over which they have lost control,” as reported by BleepingComputer.

A spokesperson told the cybersecurity news site that the airline is aware of the attackers’ claims, indicating that the company has refused to negotiate with their aggressors.

“BianLian had threatened to resort to exploiting the media in their unsuccessful extortion efforts,” the spokesperson said.

While Air Canada maintains that no customer data has been affected, the airline is taking preemptive measures, instructing customers via email to enable multi-factor authentication on their Aeroplan accounts, saying “cybercriminals are known for finding creative way to access your information.”

BianLian’s modus operandi is to extort money by threatening to release data if payment is not made. The ransomware group originally operated under the well-established double-extortion model, crippling victims’ systems while also exfiltrating data for extortion. More recently, the group shifted to plain extortion.

Also this week, Air Europa, Spain’s third-largest airline, began notifying customers that cyber criminals hacked its web portal to steal credit card information. The airline urged affected customers to contact their bank and ask to cancel their credit or debit card “to prevent possible fraudulent use.”