TAP Air Portugal ransomware breach

On 26 August 2022, TAP Air Portugal — Portugal's state-owned flag carrier — confirmed it had been hit by a cyberattack overnight. What the airline initially described as a contained, blocked intrusion turned into the largest customer-data leak in Portuguese aviation history once the Ragnar Locker ransomware gang published hundreds of gigabytes of stolen records weeks later.

What happened

According to TAP, attackers struck its infrastructure on the night of 25 August 2022. The airline activated its security mechanisms, said it had blocked unauthorized access, and reassured passengers that flight operations and safety were unaffected. Crucially, TAP's first statements asserted that "no facts have been found that allow us to conclude that there has been improper access to customer data."

That position did not hold. On 31 August, the Ragnar Locker ransomware operation publicly named TAP on its leak site, claiming it had penetrated the airline's network, stolen customer information, and posted a screenshot of sample records loaded with personally identifiable information. The group framed the airline's downplaying of the incident as a deception of its own customers — a hallmark double-extortion pressure tactic.

Impact

Beginning around 21 September 2022, Ragnar Locker started releasing the data it had exfiltrated:

A trove of roughly 581 GB of files covering approximately 1.5 million customers.
Exposed fields included names, dates of birth, genders, nationalities, email addresses, telephone numbers, physical addresses, salutations and spoken languages.
When the dataset was indexed by Have I Been Pwned on 23 September, it contained over 5 million unique email addresses and affected roughly 6.08 million accounts in total.

No facts publicly confirm that ransomware encrypted core systems or grounded flights; the damage was overwhelmingly a confidentiality breach. TAP and Portugal's data-protection authority (CNPD) treated the exposure as a major personal-data incident requiring customer notification.

Attribution

Ragnar Locker was a well-established ransomware-as-a-service operation known for targeting critical infrastructure and large enterprises, and for its aggressive naming-and-shaming leak site. The gang's infrastructure was later disrupted in an international law-enforcement takedown in October 2023, with arrests in several countries.

Why it matters

The TAP breach is a textbook example of the gap between "attack blocked" and "data safe." TAP's early reassurances aged badly the moment the attacker published proof of exfiltration, eroding customer trust and inviting regulatory scrutiny. For a national carrier handling millions of frequent-flyer and booking records, the episode underscored that ransomware crews increasingly monetize stolen data through publication and extortion even when victims refuse to pay — and that incident communications must account for the possibility that the intruder, not the victim, controls the narrative.

Timeline

August 25, 2022

Attackers strike TAP Air Portugal's systems overnight; the airline says it detects and blocks the intrusion.

August 26, 2022

TAP publicly confirms a cyberattack, states services are operating normally and claims no evidence of improper access to customer data.

August 31, 2022

The Ragnar Locker ransomware gang names TAP on its leak site, claiming it breached the network and exfiltrated customer data, posting a sample.

September 21, 2022

Ragnar Locker begins publishing the stolen data — roughly 581 GB covering about 1.5 million customers — on its dark-web site.

September 23, 2022

The leaked dataset, containing over 5 million unique email addresses, is indexed by Have I Been Pwned.

Sources

securityaffairs.comhttps://securityaffairs.com/135168/data-breach/ragnar-locker-ransomware-tap-air-portugal.html

haveibeenpwned.comhttps://haveibeenpwned.com/Breach/TAPAirPortugal

darkreading.comhttps://www.darkreading.com/cyberattacks-data-breaches/ragnar-locker-brags-tap-air-portugal-data

safecommunitiesportugal.comhttps://www.safecommunitiesportugal.com/hackers-share-personal-data-of-15-million-tap-customers/

Related incidents

RansomwareResolvedNovember 11, 2022

AirAsia ransomware attack (Daixin Team)

The Daixin Team ransomware gang breached AirAsia, stealing and leaking personal data on roughly 5 million unique passengers and all of the airline's employees, after the carrier reportedly declined to negotiate a ransom.

Victim: AirAsia (Capital A Berhad)
Records: 5.0M

RansomwareResolvedMarch 20, 2022

Hellenic Post (ELTA) ransomware attack

A ransomware attack attributed to the Vice Society gang paralysed Greece's national postal operator ELTA for roughly eight days, halting financial services and pension payments, with data later leaked and a €2.99 million GDPR fine in 2024.

Victim: Hellenic Post (ELTA)
Loss: $3.2M

RansomwareResolvedJanuary 1, 2022

Impresa media group ransomware attack

The Lapsus$ group seized the Amazon Web Services account of Impresa, Portugal's largest media conglomerate, knocking the Expresso newspaper and SIC television channels offline, defacing their websites and hijacking Expresso's verified Twitter account in what authorities called the country's largest ransomware attack.

Victim: Impresa (Expresso / SIC)

RansomwareOngoingFebruary 24, 2026

Leak at the Civil Aviation Safety Organisation

In February 2026 the LAPSUS$ extortion group claimed the theft of about 420 GB of data from France's Civil Aviation Safety Organisation (OSAC), including ID cards, passports, diplomas, proof-of-address documents and internal files; the data was later leaked in full.

Victim: Civil Aviation Safety Organisation