Cyber Incident Victim: Montpellier-Méditerranée Airport
Date:
Jul 2023
Location:
France
Summary
Montpellier-Méditerranée airport experienced a severe cyberattack that disrupted internal systems, forcing staff to manually manage operations such as baggage handling and boarding for several hours. While no flights were canceled, the incident caused minor delays and continued disruptions. The airport activated crisis protocols, including isolating unaffected systems, leveraging backups, and collaborating with cybersecurity experts to restore services gradually. Authorities, including the Interior Ministry and national gendarmerie, were notified, and a complaint was filed alongside a CNIL data breach report. Initial assessments indicated no data leakage, though a potential ransom motive was considered. The attack marked the airport's first major cybersecurity incident of this scale.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of July 1-2, 2023, Montpellier-Méditerranée Airport experienced a severe cyberattack described by an airport management official as "very violent." The attack disrupted all internal systems, rendering them inoperable for several hours and forcing staff to conduct operations manually. Baggage handling, passenger boarding, and other typically automated processes were executed using alternative procedures, significantly slowing operations. Emmanuel Brehmer, President of the airport’s Executive Board, acknowledged IT difficulties causing minor flight delays but initially avoided explicitly confirming a cyberattack. Despite the disruption, all Sunday flights operated, though with accumulated delays extending into Monday, July 3. The airport’s crisis management plan was activated, prompting notifications to French Interior Ministry security services and the National Gendarmerie by Sunday morning.
Technical teams, supported by an external cybersecurity partner, worked continuously from Sunday to restore systems gradually. Non-compromised systems were proactively disconnected as a precaution. Brehmer confirmed reliance on backups and expected full operational normalization by the evening of July 2 or Monday, July 3, though some internal services required until mid-week for complete recovery. A formal complaint was filed with the Gendarmerie on Tuesday, July 4, and the National Data Protection Authority (CNIL) was notified. Preliminary technical analyses indicated no evidence of data exfiltration, but the airport advised heightened vigilance. The incident marked the first cyberattack of this magnitude against the airport, with authorities investigating its origin and potential ransom motives. Brehmer publicly apologized for disruptions while emphasizing passenger, partner, and employee safety as the top priority throughout the response.