Scope of Air Canada Breach Questioned

The BianLian ransomware gang challenges Air Canada’s official statement, alleging that the airline has downplayed the extent of the data breach. The gang claims to have in its possession technical, operational, and personal data spanning over a decade.


BianLian’s Shift in Strategy

Traditionally known for deploying ransomware and encrypting data, the BianLian gang appears to be pivoting towards purely data theft operations. This strategic change may be to avoid the complexities of encryption and to reduce visibility from law enforcement.


Data Previewed on Dark Web

Independent research from Balance Business Group confirms that data allegedly stolen from Air Canada is being previewed on the dark web. This revelation underscores the seriousness of the breach and the potential ramifications for affected parties.

News > Cyber-Attacks > Ransomware
by Kevin Wood

Air Canada Faces Scrutiny Over Extent of Data Breach as BianLian Gang Challenges Official Statement



No further comment from Air Canada

In the aftermath of a cyber attack against Air Canada last month, there are mounting concerns over the extent of the breach. The airline had previously stated that the attacker had “briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records.” However, the exact volume of stolen data remained undisclosed.

The BianLian ransomware gang, which claims responsibility for the breach, has now countered the airline’s statement. Through its data leak site, the gang accused Air Canada of not revealing the full scope of the breach, stating, “Employee personal data is only a small fraction of the valuable data over which they have lost control.” The gang further claims to possess Air Canada’s technical and operational data spanning from 2008 to 2023, details of the company’s technical and security concerns, SQL backups, and other confidential documents.

In a bid to substantiate their claims, the gang shared a screenshot showcasing the names of purportedly stolen files, with samples available for public viewing. Brett Callow, a British Columbia-based threat analyst for Emsisoft, brought the gang’s message to light, though he remains uncertain of the authenticity of the data in question.

In response to these allegations, Air Canada issued a statement, emphasizing that the BianLian group had previously threatened to manipulate the media. The statement read, “BianLian had threatened to resort to exploiting the media in their unsuccessful extortion efforts. For this reason, we cannot comment on any claims made by an anonymous group based on cybercrime and we will not add anything to what we have said publicly. We trust that media will consider this and report on issues such as this responsibly.”

Interestingly, the BianLian gang is making efforts to paint itself in a positive light, highlighting that they refrained from deploying ransomware and only extracted data. Their message stated, “Realizing the potential damage we did not cause any damage to [Air Canada’s] infrastructure or internal resources, data exfiltration operation only.”

BianLian, like many of its peers, typically employs a double extortion tactic: pilfering data and then threatening its release or sale, while also encrypting servers. This forces victim organizations into a tight spot, compelling them to pay both for the stolen data and decryption keys. However, Callow noted a shift in BianLian’s operations since the end of the previous year, with a heightened focus on data theft, potentially under different aliases.

Callow speculated on the reasons behind this strategic shift, suggesting that the gang might perceive data theft alone as profitable enough without the added complications of managing encryption and decryption processes. Another possible reason could be an attempt to appear less conspicuous to law enforcement agencies, especially following high-profile attacks.

Our team at Balance Business Group undertook independent research on the dark web to verify these claims. Preliminary findings align with the reports from ransomware leak sites that data is indeed being previewed. The presence of such data on the dark web underscores the gravity of the situation and emphasizes the need for heightened cybersecurity measures across industries.

However, as Callow aptly pointed out, even if organizations are solely dealing with data thieves rather than ransomware gangs, any form of payment to these criminal entities only fuels the proliferation of cyber attacks.


  • Disaster Recovery Experts: BBG has years of experience in providing top-tier disaster recovery solutions, ensuring businesses can quickly rebound from unforeseen events and cyber incidents.
  • Ransomware Mitigation Specialists: With an in-depth understanding of ransomware tactics, BBG offers tailored mitigation strategies to prevent, detect, and respond to ransomware threats.
  • Dark Web Monitoring: Our dedicated team constantly monitors the dark web for any signs of our clients’ data, allowing for swift action if a breach occurs.
  • Assistance for Affected Companies: If your company faces a cyber threat or has been a victim of a breach, BBG’s team of experts stands ready to provide immediate assistance, from containment to recovery.  Contact us today to get a meeting scheduled!  Email us at