LockBit ransomware leaks Bangkok Airways data, goes after Accenture customers

Bangkok Airways, a major airline company in Thailand, confirmed it was the victim of a cyberattack earlier this month that compromised personal data of passengers.

The announcement came after the LockBit ransomware gang had posted a message on their leak site claiming the breach and threatening to publish stolen data unless the ransom was paid.

LockBit is the same hacker group that breached Accenture global IT consultancy giant and demanded a $50 million payment to stop the leak of allegedly 6TB of stolen data.

Following the attack, the threat actor said that they had collected sufficient data to breach some Accenture clients.

Passenger data leaked

On Saturday, LockBit ransomware leaked more than 200GB of data belonging to the Thai company, suggesting that the security of its system was in dissonance with the airline’s claims to protect its customers’ privacy.

LockBit leaks over 200GB of data stolen from Bangkok Airways
source: BleepingComputer

The airline discovered the attack on August 23 and took steps to contain the incident. An investigation also started, to check what data had been compromised.

While the attack did not impact Bangkok Airways’ operational or aeronautical security systems, the airline said that the hackers may have accessed personal data belonging to passengers.

The details exposed during the attack include full names, nationality, gender, phone numbers, email and physical addresses, passport info, historical travel data, partial credit card info, and special meal details.

Bangkok Airways warns its customers that the attackers may try to impersonate a company representative in unsolicited calls or emails to collect more personal data or credit card information.

Focus on Accenture customers

Before hitting Bangkok Airways, the LockBit ransomware gang encrypted the systems of another airline company, Ethiopian, and announced on August 23 the publishing of stolen data.

LockBit leaks data stolen from Ethiopian Airlines
source: BleepingComputer

Both these attacks happened after the hackers compromised the systems of Accenture, allegedly with the help of an insider.

In a conversation with BleepingComputer, the threat actor said that the Accenture breach gave them access to credentials that would enable them to go after company customers.

Although the hackers declined to name a victim, they claimed to have compromised an airport that was using Accenture software and encrypted its systems.

LockBit ransomware-as-a-service (RaaS) operation has been around since September 2019 but version 2.0 of the malware has emerged earlier this year, in June.

The latest update of the malware has been used in at least 70 attacks against organizations all over the world, a clear sign of this RaaS operation’s increased activity.

Update [September 1, 2021, 14:28 EST]: Following the publishing of this article, Accenture sent a statement to BleepingComputer dismissing LockBit's claims:

"We have completed a thorough forensic review of documents on the attacked Accenture systems. This [LockBit's] claim is false. As we have stated, there was no impact on Accenture’s operations, or on our client’s systems. As soon as we detected the presence of this threat actor, we isolated the affected servers" - Accenture

Related Articles:

City of Wichita breach claimed by LockBit ransomware gang

LockBit ransomware admin identified, sanctioned in US, UK, Australia

Lockbit's seized site comes alive to tease new police announcements

French hospital CHC-SV refuses to pay LockBit extortion demand

New ScreenConnect RCE flaw exploited in ransomware attacks