Rhysida ransomware attack hits Port of Seattle, affecting 90K

The Port of Seattle is warning 90,000 people their personal data was stolen in an August ransomware attack linked to the Rhysida cybercrime gang.

What happened

The Port of Seattle has begun notifying approximately 90,000 individuals that their personal information was compromised during a ransomware attack in August 2024. The Port, which oversees Seattle’s seaport and Seattle-Tacoma International Airport (SEA), confirmed that the cybercriminal group Rhysida was behind the attack. Although the incident initially caused major IT disruptions, including delays to flights and outages in airport systems and apps, the full scope of the data breach is only now coming into focus.

Going deeper

The Port first acknowledged the attack on August 24, noting widespread service interruptions. Systems affected included reservation check-in kiosks, passenger display boards, the Port’s website, and the flySEA app. Flights at SEA Airport were also delayed. On September 13, the Port officially attributed the breach to Rhysida, a ransomware-as-a-service (RaaS) operation.

Despite threats from the group to leak stolen data, the Port refused to pay the ransom. At the time, officials said they were still assessing the extent of the stolen data, acknowledging that some information was likely accessed between mid and late August.

As of April 3, 2025, the Port has confirmed that the breach impacted around 90,000 individuals, 71,000 of whom are residents of Washington state. Compromised data includes names, dates of birth, Social Security numbers (or partial SSNs), driver's license or other government ID numbers, and in some cases, medical information. The breach primarily affected employees, contractors, and individuals associated with Port parking services.

What was said

The Port stated that airport and maritime passenger systems were not compromised and payment systems remained secure. “At no point did this incident affect the ability to safely travel to or from SEA Airport or use the Port’s maritime facilities,” the agency said. They added that systems belonging to partners such as the FAA, TSA, and U.S. Customs and Border Protection were also untouched.

In their September statement, Port officials explained, “We have refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their dark web site.”

In the know

The Port of Seattle joins a growing list of high-profile targets breached by the Rhysida ransomware group, which has gained global attention since emerging in mid-2023. Past victims include the British Library, Sony subsidiary Insomniac Games, the City of Columbus, and MarineMax. Rhysida affiliates were also behind an August 2023 breach at Singing River Health System that impacted nearly 900,000 people.

The big picture

The breach reveals the long tail of ransomware attacks where operational disruptions may resolve quickly, but data exposure and public notification can stretch for months. It also reflects a broader pattern of attackers targeting public institutions, healthcare systems, and critical infrastructure, where the ripple effects can be far-reaching even without a ransom payout.

FAQs

Why is Rhysida targeting public infrastructure like the Port of Seattle?

Public agencies often hold large volumes of sensitive personal data but may lack the cybersecurity resources of private-sector counterparts, making them attractive and vulnerable targets.

What makes ransomware attacks like this one especially dangerous?

The impact extends beyond initial disruptions—stolen data can be sold, leaked, or used for identity theft months or years after the breach.

What should affected individuals do to protect themselves?

Monitor credit reports, consider placing a fraud alert or credit freeze, and be cautious of phishing attempts using leaked personal information.

How does refusing to pay a ransom affect outcomes?

While refusing payment avoids funding criminal groups, it often leads to data being leaked or sold, as attackers seek to maximize pressure and profit.

What can ports and similar entities do to reduce their risk?

Invest in regular security audits, employee training, incident response plans, and partnerships with cybersecurity experts to better defend against ransomware threats.