Swissport ransomware attack
The BlackCat (ALPHV) ransomware gang struck aviation ground-handling giant Swissport, delaying flights at Zurich Airport and stealing 1.6 TB of data that was later leaked online.
- Victim
- Swissport International
- records
- 1600.00B
On 3 February 2022, Swissport International β the world's largest provider of airport ground-handling and air-cargo services, operating at hundreds of airports across some 45 countries β was hit by ransomware. The BlackCat (ALPHV) gang later claimed responsibility and leaked 1.6 TB of stolen data, in an attack that briefly rippled into flight operations at Zurich Airport.
What happened
The ransomware struck Swissport's IT infrastructure on 3 February. The company reported the incident publicly on 4 February, stating that parts of its IT systems were affected and that compromised devices had been taken offline. Ground-handling disruptions caused 22 flight delays at Zurich Airport, though the operational impact stayed limited because staff fell back on manual workarounds and redundant systems.
Swissport said it contained the incident within about 48 hours. On 14 February 2022, the BlackCat (ALPHV) ransomware operation β a Russian-speaking group that had evolved out of the DarkSide/BlackMatter lineage behind the 2021 Colonial Pipeline attack β claimed the breach and published a sample of stolen files on its leak site.
Impact
- 22 flights were delayed at Zurich Airport on the day of the attack; broader ground-handling operations were degraded for roughly 48 hours.
- BlackCat claimed to have stolen and offered for leak 1.6 TB of data.
- The leaked sample included personal and HR information, such as job-applicant records, passport scans, and other identity documents β a classic double-extortion play combining encryption with data theft.
Response
Swissport activated business-continuity procedures, isolated affected systems, and restored operations within days. The company worked with external incident responders and cooperated with authorities. It publicly stated that flight operations were not materially affected beyond the initial delays and that it had no indication of broader operational compromise.
Why it matters
The Swissport attack underscored the systemic fragility of aviation supply chains: because ground handlers sit at the operational heart of dozens of airlines and airports, even a quickly contained intrusion can cascade into flight delays across a hub. Coming weeks after ransomware disruptions at European oil terminals, it became a reference case for how the BlackCat/ALPHV affiliate model targeted critical-infrastructure operators, and it reinforced calls for stronger third-party and operational-technology resilience across the air-transport sector.
Timeline
Swissport's IT infrastructure is hit by ransomware, disrupting ground-handling operations.
Swissport reports the incident and takes affected systems offline; 22 flights are delayed at Zurich Airport.
Swissport says the attack was largely contained within about 48 hours using manual fallback procedures.
The BlackCat (ALPHV) gang claims the attack and begins leaking 1.6 TB of stolen data, including personal and HR records.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/blackcat-alphv-claims-swissport-ransomware-attack-leaks-data/
- computerweekly.comhttps://www.computerweekly.com/news/252513488/BlackCat-ransomware-gang-claims-responsibility-for-Swissport-attack
- pentasecurity.comhttps://www.pentasecurity.com/blog/security-weekly-swissport-alphv-blackcat-ransomware/
- cds.thalesgroup.comhttps://cds.thalesgroup.com/en/node/120