The Rhysida ransomware gang has claimed responsibility for stealing over 3TB of data from the Port of Seattle, releasing sample documents as proof of the breach. The exfiltrated data allegedly includes deeply sensitive personal information on employees and civilians, including Social Security numbers, passport scans, and internal login credentials. The seaport agency managed to restore the majority of its systems within a week, but the volume and sensitivity of the stolen data signals long-term repercussions for affected individuals.
What Happened
Rhysida added the Port of Seattle to its leak site, publishing sample files to substantiate its claim of holding more than 3TB of stolen data. The group operates a double-extortion model, encrypting victim systems while simultaneously exfiltrating data to use as leverage for ransom payment. Although Port of Seattle technical teams successfully brought the majority of impacted systems back online within roughly one week, the data exposure component of the incident remains unresolved. Rhysida is now actively pressuring the agency with public proof-of-theft postings.
What Was Taken
Sample documents released by Rhysida point to a wide-ranging trove of personally identifiable information. According to the gang's claims and published samples, the stolen dataset includes:
- Full names, home addresses, and phone numbers
- Social Security numbers
- Passport scans and signature images
- Physical descriptors including height, weight, and eye color
- Internal employee login credentials for Port of Seattle systems
- Additional personal data on staff and members of the public
The combination of identity documents, biometric-adjacent descriptors, and authentication credentials makes this dataset particularly dangerous, enabling identity theft, account takeover, and targeted social engineering at scale.
Why It Matters
The Port of Seattle is a critical transportation node, operating Seattle-Tacoma International Airport and major maritime shipping facilities. An attack of this scale against critical infrastructure highlights Rhysida's continued willingness to target high-value public sector and infrastructure entities. According to BlackFog's most recent ransomware trend reporting, Rhysida-attributed attacks rose 7.6% month-over-month, with data exfiltration occurring in 93% of observed cases. The shift signals that ransomware operators are deprioritizing pure encryption in favor of theft-based extortion, where data alone provides leverage even when victims successfully restore systems from backup.
The Attack Technique
The specific initial access vector used against the Port of Seattle has not been publicly confirmed. Rhysida historically gains entry through phishing campaigns, exploitation of exposed remote services such as VPN and RDP appliances, and the abuse of valid credentials harvested from infostealer logs. Once inside, the group typically conducts hands-on-keyboard reconnaissance, escalates privileges, deploys living-off-the-land tooling for lateral movement, and stages large volumes of data for exfiltration before triggering encryption. The recovery of Port of Seattle systems within a week suggests segmentation and backup posture limited the encryption blast radius, but did nothing to stop the prior data theft.
What Organizations Should Do
- Audit and enforce phishing-resistant MFA on all remote access, administrative, and email accounts to blunt Rhysida's reliance on credential abuse.
- Hunt for known Rhysida indicators and TTPs, including suspicious PsExec usage, abnormal RDP sessions, and unauthorized use of remote management tools such as AnyDesk.
- Implement data loss prevention controls and egress monitoring to detect bulk data staging and transfer before exfiltration completes.
- Segment networks so that compromise of a single business unit cannot expose identity document repositories or HR systems holding SSNs and passport scans.
- Validate offline, immutable backup recovery procedures regularly so encryption events can be contained quickly, as Port of Seattle's recovery demonstrates.
- Prepare a public communications and breach notification plan in advance, since extortion-only attacks require disclosure to affected individuals even when operations are restored.