Port of Seattle Ransomware Attack Exposes 90,000 People's Data, Disrupts Airport Operations

A major ransomware attack on the Port of Seattle has compromised sensitive personal information of approximately 90,000 individuals and caused significant operational disruptions at one of America’s busiest transportation hubs.

Attack Details and Impact

The Port of Seattle officially confirmed that a ransomware attack in August 2024 resulted in the theft of personal data from roughly 90,000 people. The breached information includes names, dates of birth, full or partial Social Security numbers, driver’s license or government ID numbers, and some medical information.

On April 3, 2025, the Port began notifying affected individuals, revealing that approximately 71,000 Washington state residents were among those impacted by the data breach.

Airport Operations Disrupted

The cyberattack, which occurred in mid-August 2024, was officially acknowledged by port authorities on August 24. The incident severely affected operations at Seattle-Tacoma International Airport (SEA), causing outages across multiple systems:

• The SEA Airport website
• The flySEA mobile application
• Reservation confirmation systems
• Passenger information display boards

These disruptions led to flight delays, though the Port emphasized that critical federal agency systems, airline operations, and cruise line operations remained unaffected. They also assured the public that air traffic safety systems and payment processing infrastructure continued functioning normally.

Rhysida Ransomware Group Behind the Attack

Three weeks after the incident, on September 13, the Port of Seattle identified the Rhysida ransomware group as responsible for the attack. Rhysida, which first emerged in May 2023, operates under a Ransomware-as-a-Service (RaaS) model and has previously targeted several high-profile organizations, including:

• The British Library
• Chilean Army (Ejército de Chile)
• City of Columbus, Ohio
• Sony Insomniac Games
• Marine distribution company MarineMax
• Singing River Health System

Refusal to Pay Ransom

Port officials revealed that they refused to comply with the hackers’ financial demands, stating: “We did not respond to the extortion attempt, which may result in the attackers publishing the stolen data on the dark web.” The Port continues to investigate the full extent of the breach, noting that such investigations are complex and time-consuming.

Data Exposure and Response

The Port of Seattle emphasized that it stores minimal passenger-related information. The compromised data primarily belonged to:

• Internal employees
• Contractors
• Parking service users

According to the notification letters, the combination of exposed data varied by individual, with some cases including medical information. The Port is offering free credit monitoring services for one year and providing identity theft response guidelines to those affected.

Limited Passenger Information Exposure

Port officials stressed that they maintain very limited storage of passenger data for both air and maritime travelers, minimizing the breach’s impact on the general traveling public. However, the scale of the attack has raised concerns about infrastructure security across the transportation sector.

Security Experts Weigh In

Cybersecurity specialists note that this incident highlights the growing trend of Ransomware-as-a-Service operations targeting public institutions. They emphasize that Rhysida specifically selects targets for maximum impact, employing a strategy of data exfiltration followed by extortion.

“Systems with multiple stakeholders like public agencies and airports create significant social disruption when compromised,” explained one security expert. “Strengthening backup systems and employing threat intelligence to detect RaaS activities early is crucial.”

Experts also recommend:

• Data minimization policies to reduce potential exposure
• Multi-layered security frameworks to protect critical infrastructure
• Systematic simulation of post-attack responses
• Restructuring internal sensitive information management systems

The attack on the Port of Seattle serves as a stark reminder of the vulnerability of critical infrastructure to sophisticated ransomware operations and the importance of robust cybersecurity measures to protect sensitive data and maintain operational continuity.