Port of Seattle Ransomware Attack Exposes Data of 90,000 Individuals

The Port of Seattle, which operates Seattle-Tacoma International Airport (SEA) and multiple container terminals, confirmed that a ransomware attack in August 2024 compromised the personal data of approximately 90,000 individuals. The breach primarily affected employees, contractors, and parking users, with 71,000 victims residing in Washington state. Notification letters were sent in April 2025 after an eight-month forensic investigation¹.

Attack Details and Attribution

The Rhysida ransomware group claimed responsibility for the attack, which targeted Port of Seattle systems, including those supporting airport operations. The group is known for high-profile attacks against entities like the British Library and Chilean Army². Investigators found that attackers exfiltrated names, dates of birth, Social Security numbers, government ID numbers, and limited medical information. Critical systems handling payment processing and passenger data remained unaffected³.

Port officials refused to pay the ransom demand, prompting Rhysida to threaten data leaks. The attack caused temporary disruptions, including flight delays, as IT teams isolated compromised systems. Reconstruction efforts delayed breach notifications until April 2025⁴.

Technical Impact and Response

The attack vector remains undisclosed, but cybersecurity experts speculate the group may have exploited unpatched vulnerabilities or used credential-stuffing techniques. Dave Henderson, a cybersecurity CEO cited in source materials, noted attackers likely conducted extensive reconnaissance before executing the ransomware deployment².

Port of Seattle’s incident response included:

Immediate isolation of affected systems
Engagement of third-party forensic investigators
Implementation of enhanced monitoring for credential misuse
Rebuilding compromised infrastructure with stricter access controls

Security Recommendations

Organizations managing critical infrastructure should prioritize:

Regular audits of privileged account access
Network segmentation to limit lateral movement
Multi-factor authentication for all administrative interfaces
Frequent backups tested for restoration integrity

The delayed notification timeline highlights challenges in balancing forensic accuracy with regulatory requirements. Washington state law mandates breach notifications within 30 days of discovery, but complex investigations may justify extensions¹.

Conclusion

This incident underscores the persistent threat ransomware poses to transportation infrastructure. While the Port of Seattle mitigated operational impacts, the exposure of sensitive personal data creates long-term risks for affected individuals. Organizations should review the Port’s disclosure timeline and response measures when evaluating their own incident response plans.