Tulsa International Airport Data Breach Claim: Alleged Ransomware Attack by Qilin

Executive Summary

The ransomware group Qilin has claimed responsibility for an alleged cyberattack against Tulsa International Airport (TUL). The group listed the airport on its dark web leak site and published a limited set of documents as proof of data exfiltration. At the time of reporting, the airport has not publicly confirmed the incident. If validated, the compromise may have implications for critical transportation infrastructure, aviation operations, and affiliated third-party entities.

Victim Profile

• Organization: Tulsa International Airport (TUL)
• Sector: Transportation / Aviation / Critical Infrastructure
• Location: Northeastern Oklahoma, United States
• Operational Significance:
  
  • Serves over 3 million passengers annually
  • Supports commercial, cargo, private, and military aviation
  • Hosts the Oklahoma Air National Guard’s 138th Fighter Wing
  • Functions as the global maintenance and engineering headquarters for American Airlines
  • Supports major logistics providers including FedEx Express and UPS

The airport’s role in both civilian and military aviation increases its attractiveness as a target for ransomware and extortion-focused threat actors.

Threat Actor Overview

• Threat Group: Qilin (Ransomware-as-a-Service)
• Attribution: Self-claimed via dark web leak site
• Motivation: Financial extortion through data theft and public exposure

Qilin is known for double-extortion tactics, combining ransomware deployment with data exfiltration to increase pressure on victims.

Overview of the Exposed Data

According to the threat actor, 18 sample files were posted online to support their claims. These samples show a wide range of sensitive internal and personal data.

The leaked information reportedly includes:

• Email conversations between airport executives and senior banking officials
• Passports and other personal identification documents
• Financial records such as yearly budgets and revenue reports
• Confidentiality and non-disclosure agreements
• Telehealth reports and internal governance meeting notes
• Insurance documents and banking communications
• Tenant and vendor databases
• Court-related documents

Breakdown of Leaked Data Samples

1. High-Level Officials’ Email Communications

The leaked data includes email conversations between airport executives and senior banking officials. These emails reportedly expose email addresses and phone numbers of high-ranking individuals, including a Senior Managing Director and the Executive Vice President and Chief Financial Officer of Tulsa International Airport.

2. Non-Disclosure Agreements (NDAs)

Several leaked files are Non-Disclosure Agreements (NDAs). These documents often contain sensitive executive details, including the full name and phone number of the Tulsa Airports Improvement Trust CEO.

3. Year-Wise Revenue and Budget Details (2023–2024)

The leaked screenshots show yearly budget and revenue data from 2023 to 2024, offering insight into how the airport planned its spending and tracked income during these years.

4. FY2026 Project Budget Summary

Another screenshot highlights the total project budget for the 2026 financial year, showing planned spending across multiple airport projects.

5. Tenant and Vendor Records

The exposed data also includes tenant and vendor records, containing phone numbers, email addresses, site details, and notice information related to businesses operating at the airport.

6. Passport Information

Some leaked files reportedly contain passport details, exposing highly sensitive personal identification information that is normally kept secure.

Key Details of the Breach

• The ransomware group Qilin claims it hacked Tulsa International Airport and stole sensitive data.
• Leaked files include financial records, internal emails, and employee identification documents.
• Some data reportedly exposes passports and contact details of senior officials.
• This incident is considered the first reported cyberattack on the airline sector in 2026, though it remains unconfirmed by the airport.

Key Recommendations to Prevent Cyber Incidents :

1. Use EDR & SIEM Tools
   Deploy Endpoint Detection and Response (EDR) and SIEM solutions such as Gurucul SIEM to monitor systems, detect unusual behavior, and respond to threats in real time.
2. Limit Access to Sensitive Data
   Apply the principle of least privilege so employees can access only the systems and data they truly need. This reduces damage if an account is compromised.
3. Enable Multi-Factor Authentication (MFA)
   Use MFA for email, VPNs, and critical systems to prevent attackers from accessing accounts using stolen passwords alone.
4. Keep Systems and Software Updated
   Regularly patch operating systems, applications, and network devices to close security gaps that ransomware groups often exploit.
5. Protect and Test Backups
   Maintain regular, offline backups of critical data and test them often. This allows recovery without paying ransom if systems are encrypted.
6. Train Employees on Cyber Awareness
   Educate staff to recognize phishing emails, suspicious links, and unexpected attachments, which are common entry points for ransomware attacks.