In August 2024, the Port of Seattle, which manages the Seattle-Tacoma International Airport (SEA Airport) and various maritime facilities, experienced a significant ransomware attack orchestrated by the Rhysida group. This cyberattack led to the compromise of personal information belonging to approximately 90,000 individuals.
Incident Overview
On August 24, 2024, the Port detected unauthorized activity within its systems, prompting immediate action to isolate critical infrastructure. This precautionary measure resulted in widespread service disruptions, notably affecting SEA Airport’s operations. Key services such as baggage handling, check-in kiosks, ticketing systems, Wi-Fi networks, passenger information displays, the Port’s official website, the flySEA mobile application, and reserved parking services were all impacted. Despite these challenges, the airport and maritime facilities remained operational, ensuring that flights and cruise operations continued with minimal delays.
Attack Attribution and Response
By mid-September 2024, the Port confirmed that the Rhysida ransomware group was responsible for the attack. This group had infiltrated certain segments of the Port’s computer systems, encrypting data and demanding a ransom. The Port’s Executive Director, Steve Metruck, emphasized the organization’s stance against paying the ransom, stating, The Port of Seattle has no intent of paying the perpetrators behind the cyberattack on our network. He further highlighted that complying with such demands would contradict the Port’s values and its commitment to responsible stewardship of taxpayer funds.
Data Compromise Details
In early April 2025, the Port disclosed that the attackers had accessed and exfiltrated personal information from its systems, primarily from legacy databases related to employees, contractors, and parking services. The compromised data includes names, dates of birth, Social Security numbers, driver’s license numbers, other government-issued identification numbers, and medical information. Notably, systems processing payments and those containing passenger information were not affected.
The breach impacted approximately 90,000 individuals, with around 71,000 residing in Washington state. The majority of those affected are current and former employees and contractors associated with the Port and SEA Airport. In response, the Port is offering one year of complimentary credit monitoring and identity theft protection services to all impacted individuals.
Operational Impact and Recovery Efforts
The immediate aftermath of the attack saw significant operational disruptions. Services such as baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port’s website, the flySEA app, and reserved parking were all affected. The Port’s IT teams worked diligently to restore these services, successfully bringing most systems back online within a week. However, some services, including the Port’s external website and internal portals, required extended recovery periods.
Throughout the recovery process, the Port collaborated with third-party cybersecurity experts and federal agencies to ensure a thorough and secure restoration of its systems. The Port also committed to enhancing its cybersecurity measures to prevent future incidents, focusing on strengthening identity management, authentication protocols, and continuous system monitoring.
Broader Implications and Industry Context
The Rhysida ransomware group, emerging in May 2023, has been linked to several high-profile attacks, including breaches of the British Library and the Chilean Army. The group’s tactics involve encrypting data and demanding ransoms, with threats to publish stolen information if demands are not met. In the case of the Port of Seattle, the refusal to pay the ransom led to the public release of some of the exfiltrated data on Rhysida’s dark web site.
This incident underscores the growing threat of ransomware attacks targeting critical infrastructure. Organizations managing essential services must prioritize robust cybersecurity frameworks, regular system audits, and comprehensive incident response plans to mitigate potential risks.
Conclusion
The Port of Seattle’s experience with the Rhysida ransomware attack highlights the critical importance of cybersecurity vigilance in safeguarding sensitive information and maintaining operational integrity. By refusing to pay the ransom and focusing on system restoration and security enhancements, the Port demonstrated a commitment to its values and the protection of its stakeholders. This incident serves as a stark reminder for all organizations to proactively address cybersecurity threats and implement resilient defense mechanisms.
