The Akira ransomware group has claimed responsibility for a cyberattack on the Buffalo Convention Center, threatening to publish 46 gigabytes of allegedly stolen data tied to approximately 180,000 individuals. The breach, confirmed by dark web monitoring firm Breach Sense, includes employee records, contracts, financial information, and personal data. Akira, classified by the FBI as a ransomware-as-a-service operation, has extorted over $250 million from organizations worldwide since 2023.
What Happened
Akira listed the Buffalo Convention Center on its dark web leak site, claiming to have exfiltrated 46 gigabytes of sensitive data from the venue's systems. The group is using the threat of public data disclosure to pressure the convention center into paying a ransom. Buffalo Convention Center has not responded to requests for comment, and the exact entry vector remains unconfirmed. Breach Sense, a dark web monitoring firm, independently verified the listing.
According to Ben Taylor, resilience director at Gate 15, the 180,000-individual figure may reflect data sourced through a third-party vendor, a direct compromise of venue systems, or inflated claims designed to amplify pressure on the victim. Ransomware actors routinely overstate breach scope to accelerate negotiations.
What Was Taken
Akira claims to have exfiltrated approximately 46 gigabytes of data, including:
- Employee records and personnel files
- Vendor and exhibitor contracts
- Financial information
- Personal data tied to roughly 180,000 individuals
- Likely attendee registration and payment-related records
Convention centers are particularly attractive targets because they aggregate high volumes of attendee registrations, exhibitor profiles, payment card data, signed contracts, and operational records, often across multiple events and third-party platforms.
Why It Matters
This incident underscores a growing pattern of ransomware actors targeting event venues and convention centers, which sit at the intersection of hospitality, retail payments, and B2B data aggregation. Recent victims listed by ransomware groups include the Long Beach Convention and Entertainment Center, Pennsylvania Convention Center, Calgary TELUS Convention Centre, and Quebec City Convention Centre. The pattern suggests organized targeting of the sector rather than opportunistic intrusions.
For event planners, exhibitors, and corporate attendees, the breach creates downstream risk: leaked attendee lists fuel highly targeted spear phishing, while exposed contracts and financial data can enable business email compromise against vendors and clients tied to upcoming events.
The Attack Technique
The specific intrusion vector has not been publicly disclosed. However, Akira affiliates are known to gain initial access through:
- Compromised VPN credentials, particularly Cisco ASA and SonicWall appliances lacking multi-factor authentication
- Exploitation of unpatched edge devices and remote access services
- Phishing campaigns delivering credential harvesters or initial access malware
- Purchase of valid credentials from initial access brokers
Akira typically deploys double extortion: stealing sensitive files before encrypting networks, then threatening public release if payment is withheld. Taylor noted that AI is accelerating the threat landscape by enabling more personalized and scalable phishing operations, lowering the barrier for affiliate access.
What Organizations Should Do
- Enforce phishing-resistant MFA on all remote access, VPN, and administrative interfaces, with priority on Cisco ASA, SonicWall, and other perimeter devices that Akira affiliates routinely target.
- Audit and segment third-party vendor access, particularly registration platforms, payment processors, and exhibitor management systems that handle attendee PII.
- Patch internet-facing infrastructure aggressively, including VPN concentrators, firewalls, and remote management tools. Known Akira entry points should be prioritized.
- Deploy endpoint detection and response (EDR) with behavioral analytics capable of detecting lateral movement, credential dumping, and large-volume data staging consistent with pre-encryption exfiltration.
- Maintain immutable, offline backups and rehearse restoration procedures. Ransomware recovery without paying depends on backup integrity.
- Event planners should require vendor cybersecurity attestations before booking venues, including incident history, MFA coverage, data retention policies, and breach notification commitments.
Sources: Ransomware Group Claims Cyberattack on Buffalo Convention Center