Full Report
Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack. [...]
Analysis Summary
# Incident Report: Port of Seattle Ransomware Breach
## Executive Summary
The Port of Seattle experienced a ransomware attack, attributed to the Rhysida RaaS operation, resulting in the exfiltration of sensitive personal data belonging to approximately 90,000 individuals. While operations at the Seattle-Tacoma International Airport (SEA) and port maritime facilities were not affected, the breach exposed information including Social Security numbers and driver's license details. The Port is currently engaged in notifying affected parties and managing the fallout from the incident.
## Incident Details
- Discovery Date: Fall 2024 (Implied, as notice was provided in Fall 2024)
- Incident Date: Fall 2024 (Date of the initial compromise/encryption is not specified, only the notification date)
- Affected Organization: Port of Seattle
- Sector: Government/Transportation/Port Authority
- Geography: Seattle, Washington, USA
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Occurred prior to notification in Fall 2024)
- Vector: Not explicitly detailed in the provided text, but typical for ransomware attacks via external compromise leading to internal network access.
- Details: The attack resulted in data theft and the deployment of ransomware.
### Lateral Movement
- Details: Specific lateral movement techniques are not detailed, but successful ransomware deployment implies established persistence and access to target systems containing PII.
### Data Exfiltration/Impact
- Details: Sensitive personal information was stolen and exfiltrated. This included Social Security numbers, driver's license or other government identification card numbers, and some medical information. Payment processing systems were reportedly unaffected.
### Detection & Response
- Details: The Port of Seattle began providing notice to affected individuals in the Fall of 2024. Response actions focused on notification and assurances that core operational systems (airport travel, port facilities, airline/federal partners) remained functional.
## Attack Methodology
- Initial Access: Unknown (Ransomware attack vector)
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Unknown
- Discovery: Unknown
- Lateral Movement: Unknown
- Collection: Data relevant to approximately 90,000 individuals was collected (SSNs, IDs, medical info).
- Exfiltration: Sensitive data was stolen before encryption/locking.
- Impact: Exposure of 90,000 individuals' Personally Identifiable Information (PII).
## Impact Assessment
- Financial: Not quantified, but includes costs for investigation, remediation, and mandatory notification/credit monitoring for victims.
- Data Breach: PII for approximately 90,000 individuals, including SSNs, driver's licenses/government IDs, and medical information.
- Operational: Core operations (SEA Airport and maritime facilities) were **not** affected. Proprietary systems of major airline/cruise partners and federal partners (FAA, TSA, CBP) were unaffected.
- Reputational: Significant negative publicity due to the scale of the data breach and the sensitivity of the compromised data (SSNs).
## Indicators of Compromise
- Network indicators: None specified (URLs/IPs were not detailed in the summary).
- File indicators: Ransomware actor identified as **Rhysida** (RaaS).
- Behavioral indicators: Deployment of ransomware leading to data exfiltration.
## Response Actions
- Containment: Not detailed, but implied steps taken to stop further data loss post-discovery.
- Eradication: Not detailed.
- Recovery: Core operational systems were maintained; focus shifted to victim notification.
## Lessons Learned
- The organization maintains sensitive PII (SSNs, Health Info) that is highly attractive to threat actors.
- Despite the attack, critical infrastructure operations (airport/maritime facilities) maintained resilience and continuity.
- The Rhysida RaaS group is an active and significant threat actor, having previously targeted high-profile organizations (British Library, Chilean Army, Sony subsidiary).
## Recommendations
- Immediately review and enhance controls protecting data containing highly sensitive PII like SSNs and medical records, likely requiring segmentation and stronger access controls separate from general operational networks.
- Conduct a thorough forensic investigation to determine the exact initial access vector utilized by Rhysida.
- Implement advanced endpoint detection and response (EDR) capabilities to detect persistence mechanisms and rapid lateral movement common in RaaS operations.
- Review segmentation between core operational technology (OT) systems and IT systems that hold PII to ensure a failure in one does not cascade.