The Namibia Airports Company (NAC) has confirmed that data stolen during a ransomware attack by the INC Ransomware Group has been published on the dark web. NAC spokesperson Dan Kamati confirmed the release on March 28, 2026, stating that preliminary investigations identified exposed data including airport operations files, financial records, and engineering documents. INC claims to have exfiltrated approximately 500GB of data. Airport operations remain functional, but the data exposure is ongoing and its full scope has not yet been determined.
What Happened
The Namibia Airports Company operates and manages Namibia's civil aviation infrastructure, including Hosea Kutako International Airport in Windhoek. In late March 2026, NAC suffered a ransomware attack attributed to the INC Ransomware Group — a prolific double-extortion operation active across both public and private sector targets globally.
INC followed its standard playbook: exfiltrate data first, then deploy ransomware, then set a countdown timer threatening public release if the ransom is not paid. When the timer expired, INC published approximately 500GB of stolen NAC data to their dark web leak site. NAC confirmed the release and stated that containment measures were implemented following initial detection, with additional defenses deployed post-incident.
Operations at all NAC facilities reportedly remain fully functional. The attack did not disrupt airport safety or security systems — a distinction NAC was quick to make public, likely to reassure aviation regulators and international partners.
What Was Taken
Per NAC's preliminary findings and INC's claims:
- Airport permit system files — operational and administrative permits for airport access and activities
- Parking management databases — potentially including personal vehicle and payment data
- Engineering and project documents — infrastructure schematics, maintenance records, capital project files
- Financial records — scope unconfirmed, but likely includes vendor contracts, procurement data, and budget documents
- Internal reports — classification and sensitivity unconfirmed
Volume: ~500GB per INC's claim. NAC is still verifying whether sensitive personal information was compromised. The presence of permit systems and parking databases suggests consumer PII may be involved alongside operational and financial data.
Why It Matters
Airports are critical national infrastructure. Even when operational systems are unaffected — as NAC reports here — the exfiltration of engineering documents, permit systems, and internal reports creates lasting security risks that extend well beyond the breach itself.
Infrastructure schematics and engineering documents are particularly dangerous in adversarial hands. They can be used to map physical security postures, identify chokepoints, or plan follow-on physical or cyber operations. Permit system data reveals who has legitimate access to restricted areas. Financial and procurement records expose vendor relationships and contract terms.
INC Ransomware has been escalating its targeting of critical infrastructure and government entities. The group is known for patient, methodical intrusions — conducting reconnaissance, identifying sensitive data stores, and exfiltrating before triggering encryption. This is not an opportunistic attack; NAC was selected, accessed, and systematically drained before the ransom clock started.
The broader signal: African government and infrastructure organizations are increasingly targeted by sophisticated ransomware groups. NAC is unlikely to be the last.
The Attack Technique
INC Ransomware Group employs double-extortion — data theft followed by encryption — to maximize leverage. Their documented TTPs include:
- Initial access via phishing or exploitation of internet-facing systems (VPNs, RDP, unpatched web applications)
- Living-off-the-land techniques post-compromise to avoid detection during the dwell period
- Lateral movement to identify and access file servers, databases, and backup systems
- Staged exfiltration of high-value data prior to deploying ransomware
- Countdown leak site to apply public pressure for payment
The specific initial access vector for the NAC breach has not been disclosed. The 500GB exfiltration volume suggests extended dwell time with significant lateral movement across multiple systems and data stores.
What Organizations Should Do
-
Treat internet-facing systems as your highest-priority attack surface. VPNs, RDP endpoints, and web applications are INC's preferred entry points. Ensure they are patched, MFA-enforced, and actively monitored for anomalous authentication.
-
Implement data exfiltration monitoring. 500GB does not leave a network silently. DLP controls, anomalous outbound traffic alerts, and egress monitoring would have flagged INC's exfiltration before the ransom clock started. If you can't detect bulk outbound transfers, you will always be reacting after the fact.
-
Segment operational technology (OT) from IT networks. Airport operational systems — safety, navigation, access control — must be air-gapped or strictly segmented from administrative IT. NAC's operational systems survived; that's the best-case outcome of proper segmentation.
-
Protect engineering and infrastructure documents with classification controls. Schematics, project files, and permit systems should carry access controls commensurate with their sensitivity. Not everyone who needs financial data needs airport infrastructure layouts.
-
Test your backup integrity and recovery playbooks. Double-extortion works because victims often can't restore quickly enough. Offline, immutable backups tested under realistic recovery scenarios reduce the leverage INC and similar groups hold.
-
Develop a public communications plan before an incident occurs. NAC's rapid confirmation of the breach and clear statement that operations were unaffected was well-executed. Organizations should have stakeholder communication templates ready — confusion and silence amplify reputational damage.