Cyber Incident Victim: TAP Air Portugal
Date:
Aug 2022
Location:
Portugal
Summary
TAP Air Portugal experienced a cyberattack claimed by the Ragnar Locker ransomware group, which alleged compromise of customer data including names, birthdates, emails, and addresses, threatening to release evidence contradicting the airline's assessment. The company stated the attack was blocked, operational systems remained secure, and no evidence indicated unauthorized access to customer information, though website and application instability persisted following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 25, 2022, TAP Air Portugal disclosed via its official Twitter account that it had been targeted by a cyberattack, which it stated had been successfully blocked. The airline assured stakeholders that operational integrity remained intact and emphasized no evidence had been found indicating unauthorized access to customer data stored on affected servers. The company acknowledged residual technical instability impacting its website and mobile application following the incident. Six days later, on August 31, the Ragnar Locker ransomware group claimed responsibility for the attack through a post on their data leak site, contradicting TAP’s assertions regarding data security. The threat actors alleged they had obtained hundreds of gigabytes of data during the intrusion and threatened to release "irrefutable evidence" disproving TAP’s claim that customer information remained uncompromised. As partial validation of their claims, Ragnar Locker published a screenshot depicting a spreadsheet containing fields consistent with customer records, including full names, dates of birth, email addresses, and physical addresses. TAP did not publicly confirm or deny the ransomware group’s assertions regarding data exfiltration or the nature of the attack as ransomware at the time of initial disclosures.
The incident caused measurable service disruptions, with TAP confirming persistent instability in customer-facing digital platforms post-attack. While the airline maintained no operational systems were compromised beyond these disruptions, Ragnar Locker’s data leak threat introduced potential reputational and regulatory risks associated with possible unauthorized access to passenger information. The ransomware group’s historical pattern of targeting critical infrastructure entities—including previous attacks against Portugal’s Energias de Portugal (EDP), Japanese gaming firm Capcom, semiconductor manufacturer ADATA, and aerospace company Dassault Falcon—highlighted the significance of TAP’s status as Portugal’s largest airline and primary air transport provider. Ragnar Locker’s operational history, documented by the FBI as impacting at least 52 U.S. critical infrastructure organizations between April 2020 and March 2022, underscored the group’s persistent threat profile. TAP’s incident response focused on containment through blocking the attack, restoring digital services, and conducting forensic analysis to assess data exposure, though the organization did not release detailed technical findings regarding attack vectors or network penetration depth. The discrepancy between TAP’s public statements and Ragnar Locker’s claims regarding data compromise remained unresolved in available public reporting.